[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
www/server/staging/proprietary malware-microsof...
|
From: |
Therese Godefroy |
|
Subject: |
www/server/staging/proprietary malware-microsof... |
|
Date: |
Mon, 24 Sep 2018 17:26:47 -0400 (EDT) |
CVSROOT: /webcvs/www
Module name: www
Changes by: Therese Godefroy <th_g> 18/09/24 17:26:47
Modified files:
server/staging/proprietary: malware-microsoft.html
proprietary-back-doors.html
proprietary-surveillance.html
Log message:
Regenerated pages.
CVSWeb URLs:
http://web.cvs.savannah.gnu.org/viewcvs/www/server/staging/proprietary/malware-microsoft.html?cvsroot=www&r1=1.4&r2=1.5
http://web.cvs.savannah.gnu.org/viewcvs/www/server/staging/proprietary/proprietary-back-doors.html?cvsroot=www&r1=1.3&r2=1.4
http://web.cvs.savannah.gnu.org/viewcvs/www/server/staging/proprietary/proprietary-surveillance.html?cvsroot=www&r1=1.5&r2=1.6
Patches:
Index: malware-microsoft.html
===================================================================
RCS file: /webcvs/www/www/server/staging/proprietary/malware-microsoft.html,v
retrieving revision 1.4
retrieving revision 1.5
diff -u -b -r1.4 -r1.5
--- malware-microsoft.html 23 Sep 2018 21:05:07 -0000 1.4
+++ malware-microsoft.html 24 Sep 2018 21:26:47 -0000 1.5
@@ -64,15 +64,10 @@
<h3 id="back-doors">Microsoft Back Doors</h3>
-<ul>
- <li id="M201512280">
- <p><a
-
href="https://theintercept.com/2015/12/28/recently-bought-a-windows-computer-microsoft-probably-has-your-encryption-key/";>
- Microsoft has backdoored its disk encryption</a>.</p>
- </li>
-
- <li id="M201507170">
- <p>Microsoft Windows has a universal back door through which <a
+<ul class="blurbs">
+ <li id="M201608172">
+ <p id="windows-update">Microsoft
+ Windows has a universal back door through which <a
href="http://www.informationweek.com/microsoft-updates-windows-without-user-permission-apologizes/d/d-id/1059183";>
any change whatsoever can be imposed on the users</a>.</p>
@@ -80,7 +75,7 @@
href="http://slated.org/windows_by_stealth_the_updates_you_dont_want";>reported
in 2007</a> for XP and Vista, and it seems
that Microsoft used the same method to push the <a
- href="/proprietary/malware-microsoft.html#windows10-forcing">Windows
+ href="#windows10-forcing">Windows
10 downgrade</a> to computers running Windows 7 and 8.</p>
<p>In Windows 10, the universal back door
@@ -89,9 +84,15 @@
and immediately imposed</a>.</p>
</li>
+ <li id="M201512280">
+ <p><a
+
href="https://theintercept.com/2015/12/28/recently-bought-a-windows-computer-microsoft-probably-has-your-encryption-key/";>
+ Microsoft has backdoored its disk encryption</a>.</p>
+ </li>
+
<li id="M201308230">
<p>The German government <a
-
href="https://web.archive.org/web/20160310201616/http://drleonardcoldwell.com/2013/08/23/leaked-german-government-warns-key-entities-not-to-use-windows-8-linked-to-nsa/";>veers
+
href="http://drleonardcoldwell.com/leaked-german-government-warns-key-entities-not-to-use-windows-8-linked-to-nsa/";>veers
away from Windows 8 computers with TPM 2.0</a>, due to potential back
door capabilities of the TPM 2.0 chip.</p>
</li>
@@ -112,7 +113,7 @@
<h3 id="drm">Microsoft DRM</h3>
-<ul>
+<ul class="blurbs">
<li id="M200708131">
<p><a href="http://arstechnica.com/apple/2007/08/aacs-tentacles/";>DRM
in Windows</a>, introduced to cater to <a href="#bluray">Bluray</a>
@@ -130,7 +131,7 @@
supposition that prestigious proprietary software doesn't have grave
bugs.</p>
-<ul>
+<ul class="blurbs">
<li id="M201705120">
<p>Exploits of bugs in Windows, which were developed by the NSA
and then leaked by the Shadowbrokers group, are now being used to <a
@@ -150,8 +151,8 @@
<p><a
href="http://arstechnica.com/security/2013/12/credit-card-fraud-comes-of-age-with-first-known-point-of-sale-botnet/";>
Point-of-sale terminals running Windows were taken over and turned
- into a botnet for the purpose of collecting customers' credit card
- numbers</a>.</p>
+ into a botnet</a> for the purpose of collecting customers' credit
+ card numbers.</p>
</li>
</ul>
@@ -162,7 +163,7 @@
for the word “sabotage”. Nonetheless, they are nasty and wrong.
This section describes examples of Microsoft committing
interference.</p>
-<ul>
+<ul class="blurbs">
<li id="M201809120">
<p>One version of Windows 10 <a
href="https://www.ghacks.net/2018/09/12/microsoft-intercepting-firefox-chrome-installation-on-windows-10/";>
@@ -220,7 +221,7 @@
<h3 id="jails">Microsoft Jails</h3>
-<ul>
+<ul class="blurbs">
<li id="M201706130">
<p>Windows 10 S was a jail: <a
href="https://www.theguardian.com/technology/2017/may/03/windows-10-s-microsoft-faster-pc-comparison";>
@@ -250,7 +251,7 @@
But they are a lot like malware, since they are technical Microsoft
actions that harm the users of specific Microsoft software.</p>
-<ul>
+<ul class="blurbs">
<li id="M201704194">
<p>Microsoft has made Windows 7
and 8 cease to function on certain new computers, <a
@@ -275,11 +276,12 @@
Microsoft was forcing them to replace Windows 7 and 8 with all-spying
Windows 10</a>.</p>
- <p>Microsoft did use many tricks to “persuade”
+ <p>Microsoft used many tricks to “persuade”
reluctant users to switch. Among other things, it forced <a
href="https://www.theguardian.com/technology/2015/sep/11/microsoft-downloading-windows-1";>
- stealth downloads of Windows
- 10</a>. Not only did the unwanted downloads <a
+ stealth downloads of Windows 10</a>, apparently through a <a
+ href="#windows-update">universal
+ back door</a>. Not only did the unwanted downloads <a
href="https://www.theregister.co.uk/2016/06/03/windows_10_upgrade_satellite_link/";>
use up much needed resources</a>, but many of
the people who let installation proceed found
@@ -309,7 +311,7 @@
<li id="M201606010">
<p>Once Microsoft has tricked a user
into accepting installation of Windows 10, <a
-
href="http://www.theregister.co.uk/2016/06/01/windows_10_nagware_no_way_out/";>they
+
href="https://www.theregister.co.uk/2016/06/01/windows_10_nagware_no_way_out/";>they
find that they are denied the option to cancel or even postpone the
imposed date of installation</a>.</p>
@@ -361,7 +363,7 @@
<h3 id="subscriptions">Microsoft Subscriptions</h3>
-<ul>
+<ul class="blurbs">
<li id="M201507150">
<p>Microsoft Office forces users <a
href="https://www.computerworld.com/article/2948755/windows-apps/office-for-windows-10-will-require-office-365-subscription-on-pcs-larger-tablets.html";>to
@@ -372,7 +374,7 @@
<h3 id="surveillance">Microsoft Surveillance</h3>
-<ul>
+<ul class="blurbs">
<li id="M201710134">
<p>Windows 10 telemetry program sends information to Microsoft about
the user's computer and their use of the computer.</p>
@@ -406,6 +408,12 @@
now distributes them to another company.</p>
</li>
+ <li id="M201608171">
+ <p>In order to increase Windows 10's install base, Microsoft <a
+
href="https://www.eff.org/deeplinks/2016/08/windows-10-microsoft-blatantly-disregards-user-choice-and-privacy-deep-dive";>
+ blatantly disregards user choice and privacy</a>.</p>
+ </li>
+
<li id="M201603170">
<p><a
href="https://duo.com/blog/bring-your-own-dilemma-oem-laptops-and-windows-10-security";>
@@ -424,7 +432,7 @@
<p>A downgrade to Windows 10 deleted surveillance-detection
applications. Then another downgrade inserted a general spying
program. Users noticed this and complained, so Microsoft renamed it <a
-
href="https://web.archive.org/web/20160407082751/http://www.theregister.co.uk/2015/11/26/microsoft_renamed_data_slurper_reinserted_windows_10/";>
+
href="https://www.theregister.co.uk/2015/11/26/microsoft_renamed_data_slurper_reinserted_windows_10/";>
to give users the impression it was gone</a>.</p>
<p>To use proprietary software is to invite such treatment.</p>
@@ -501,7 +509,7 @@
<li id="M201307080">
<p>Spyware in older versions of Windows: <a
-
href="https://web.archive.org/web/20160313105805/http://www.theregister.co.uk/2003/02/28/windows_update_keeps_tabs/";>
+ href="https://www.theregister.co.uk/2003/02/28/windows_update_keeps_tabs/";>
Windows Update snoops on the user</a>. <a
href="https://www.infoworld.com/article/2611451/microsoft-windows/a-look-at-the-black-underbelly-of-windows-8-1--blue-.html";>
Windows 8.1 snoops on local searches</a>. And there's a <a
@@ -513,7 +521,7 @@
<h3 id="tyrants">Microsoft Tyrants</h3>
-<ul>
+<ul class="blurbs">
<li id="M201607150">
<p>Microsoft accidentally left a way for users
to install GNU/Linux on Windows RT tablets, but now it has <a
@@ -591,7 +599,7 @@
<p class="unprintable">Updated:
<!-- timestamp start -->
-$Date: 2018/09/23 21:05:07 $
+$Date: 2018/09/24 21:26:47 $
<!-- timestamp end -->
</p>
</div>
Index: proprietary-back-doors.html
===================================================================
RCS file:
/webcvs/www/www/server/staging/proprietary/proprietary-back-doors.html,v
retrieving revision 1.3
retrieving revision 1.4
diff -u -b -r1.3 -r1.4
--- proprietary-back-doors.html 23 Sep 2018 21:05:07 -0000 1.3
+++ proprietary-back-doors.html 24 Sep 2018 21:26:47 -0000 1.4
@@ -41,10 +41,43 @@
<h3 id='spy'>Spying</h3>
+<ul class="blurbs">
+ <li id="M201706070">
+ <p id="InternetCameraBackDoor">Many models of Internet-connected
+ cameras contain a glaring back door—they have login
+ accounts with hard-coded passwords, which can't be changed, and <a
+
href="https://arstechnica.com/security/2017/06/internet-cameras-expose-private-video-feeds-and-remote-controls/";>
+ there is no way to delete these accounts either</a>.</p>
+
+ <p>Since these accounts with hard-coded passwords are impossible
+ to delete, this problem is not merely an insecurity; it amounts to
+ a back door that can be used by the manufacturer (and government)
+ to spy on users.</p>
+ </li>
+
+ <li id="M201512280">
+ <p><a
+
href="https://theintercept.com/2015/12/28/recently-bought-a-windows-computer-microsoft-probably-has-your-encryption-key/";>
+ Microsoft has backdoored its disk encryption</a>.</p>
+ </li>
+
+ <li id="M201409220">
+ <p>Apple can, and regularly does, <a
+
href="http://arstechnica.com/apple/2014/05/new-guidelines-outline-what-iphone-data-apple-can-give-to-police/";>
+ remotely extract some data from iPhones for the state</a>.</p>
+
+ <p>This may have improved with <a
+
href="http://www.washingtonpost.com/business/technology/2014/09/17/2612af58-3ed2-11e4-b03f-de718edeb92f_story.html";>
+ iOS 8 security improvements</a>; but <a
+ href="https://firstlook.org/theintercept/2014/09/22/apple-data/";>
+ not as much as Apple claims</a>.</p>
+ </li>
+</ul>
+
<h3 id='alter-data'>Altering user's data or settings</h3>
-<ul>
+<ul class="blurbs">
<li id="M201809140">
<p>Android has a <a
href="https://www.theverge.com/platform/amp/2018/9/14/17861150/google-battery-saver-android-9-pie-remote-settings-change";>
@@ -131,9 +164,9 @@
<p>Amazon responded to criticism by saying it
would delete books only following orders from the
state. However, that policy didn't last. In 2012 it <a
-
href="http://boingboing.net/2012/10/22/kindle-user-claims-amazon-dele.html";>
- wiped a user's Kindle-Swindle and deleted her account</a>, then
- offered her kafkaesque “explanations.”</p>
+
href="http://boingboing.net/2012/10/22/kindle-user-claims-amazon-dele.html";>wiped
+ a user's Kindle-Swindle and deleted her account</a>, then offered
+ her kafkaesque “explanations.”</p>
<p>Do other ebook readers have back doors in their nonfree software? We
don't know, and we have no way to find out. There is no reason to
@@ -151,7 +184,7 @@
<h3 id='install-delete'>Installing or deleting programs</h3>
-<ul>
+<ul class="blurbs">
<li id="M201804010">
<p>Some “Smart” TVs automatically <a
href="https://web.archive.org/web/20180405014828/https:/twitter.com/buro9/status/980349887006076928";>load
@@ -219,7 +252,7 @@
<h3 id='universal'>Full control</h3>
-<ul>
+<ul class="blurbs">
<li id="M201711244">
<p>The Furby Connect has a <a
href="https://www.contextis.com/blog/dont-feed-them-after-midnight-reverse-engineering-the-furby-connect";>
@@ -266,18 +299,9 @@
company can use</a>.</p>
</li>
- <li id="M201606060">
- <p>The Amazon Echo appears to have a universal back door, since <a
- href="https://en.wikipedia.org/wiki/Amazon_Echo#Software_updates";>
- it installs “updates” automatically</a>.</p>
-
- <p>We have found nothing explicitly documenting the lack of any way
- to disable remote changes to the software, so we are not completely
- sure there isn't one, but this seems pretty clear.</p>
- </li>
-
- <li id="M201507170">
- <p>Microsoft Windows has a universal back door through which <a
+ <li id="M201608172">
+ <p id="windows-update">Microsoft
+ Windows has a universal back door through which <a
href="http://www.informationweek.com/microsoft-updates-windows-without-user-permission-apologizes/d/d-id/1059183";>
any change whatsoever can be imposed on the users</a>.</p>
@@ -285,7 +309,7 @@
href="http://slated.org/windows_by_stealth_the_updates_you_dont_want";>reported
in 2007</a> for XP and Vista, and it seems
that Microsoft used the same method to push the <a
- href="/proprietary/malware-microsoft.html#windows10-forcing">Windows
+
href="server/staging/proprietary/malware-microsoft.html#windows10-forcing">Windows
10 downgrade</a> to computers running Windows 7 and 8.</p>
<p>In Windows 10, the universal back door
@@ -294,6 +318,16 @@
and immediately imposed</a>.</p>
</li>
+ <li id="M201606060">
+ <p>The Amazon Echo appears to have a universal back door, since <a
+ href="https://en.wikipedia.org/wiki/Amazon_Echo#Software_updates";>
+ it installs “updates” automatically</a>.</p>
+
+ <p>We have found nothing explicitly documenting the lack of any way
+ to disable remote changes to the software, so we are not completely
+ sure there isn't one, but this seems pretty clear.</p>
+ </li>
+
<li id="M201412180">
<p><a
href="http://www.theguardian.com/technology/2014/dec/18/chinese-android-phones-coolpad-hacker-backdoor";>
@@ -307,7 +341,7 @@
<p><a
href="http://www.techienews.co.uk/973462/bitcoin-miners-bundled-pups-legitimate-applications-backed-eula/";>
Some applications come with MyFreeProxy, which is a universal back
- door that can download programs and run them</a>.</p>
+ door</a> that can download programs and run them.</p>
</li>
<li id="M201202280">
@@ -337,7 +371,7 @@
<h3 id='other'>Other or undefined</h3>
-<ul>
+<ul class="blurbs">
<li id="M201711204">
<p>Intel's intentional “management engine” back door has <a
href="https://www.theregister.co.uk/2017/11/20/intel_flags_firmware_flaws/";>
@@ -382,15 +416,6 @@
by attackers to gain root privileges.</p>
</li>
- <li id="M201502060">
- <p>Here is a suspicion that
- we can't prove, but is worth thinking about: <a
-
href="http://web.archive.org/web/20150206003913/http://www.afr.com/p/technology/intel_chips_could_be_nsa_key_to_ymrhS1HS1633gCWKt5tFtI";>
- Writable microcode for Intel and AMD microprocessors</a> may be a
- vehicle for the NSA to invade computers, with the help of Microsoft,
- say respected security experts.</p>
- </li>
-
<li id="M201309110">
<p>Here is a big problem whose details are still secret: <a
href="http://mashable.com/2013/09/11/fbi-microsoft-bitlocker-backdoor/";>
@@ -401,11 +426,20 @@
<li id="M201308230">
<p>The German government <a
-
href="https://web.archive.org/web/20160310201616/http://drleonardcoldwell.com/2013/08/23/leaked-german-government-warns-key-entities-not-to-use-windows-8-linked-to-nsa/";>veers
+
href="http://drleonardcoldwell.com/leaked-german-government-warns-key-entities-not-to-use-windows-8-linked-to-nsa/";>veers
away from Windows 8 computers with TPM 2.0</a>, due to potential back
door capabilities of the TPM 2.0 chip.</p>
</li>
+ <li id="M201307300">
+ <p>Here is a suspicion that
+ we can't prove, but is worth thinking about: <a
+
href="https://web.archive.org/web/20150206003913/http://www.afr.com/p/technology/intel_chips_could_be_nsa_key_to_ymrhS1HS1633gCWKt5tFtI";>
+ Writable microcode for Intel and AMD microprocessors</a> may be a
+ vehicle for the NSA to invade computers, with the help of Microsoft,
+ say respected security experts.</p>
+ </li>
+
<li id="M201307114">
<p>HP “storage appliances” that
use the proprietary “Left Hand”
@@ -463,7 +497,7 @@
<p class="unprintable">Updated:
<!-- timestamp start -->
-$Date: 2018/09/23 21:05:07 $
+$Date: 2018/09/24 21:26:47 $
<!-- timestamp end -->
</p>
</div>
Index: proprietary-surveillance.html
===================================================================
RCS file:
/webcvs/www/www/server/staging/proprietary/proprietary-surveillance.html,v
retrieving revision 1.5
retrieving revision 1.6
diff -u -b -r1.5 -r1.6
--- proprietary-surveillance.html 24 Aug 2016 15:32:45 -0000 1.5
+++ proprietary-surveillance.html 24 Sep 2018 21:26:47 -0000 1.6
@@ -1,41 +1,39 @@
<!--#include virtual="/server/header.html" -->
-<!-- Parent-Version: 1.79 -->
+<!-- Parent-Version: 1.84 -->
<title>Proprietary Surveillance - GNU Project - Free Software
Foundation</title>
<style type="text/css" media="print,screen"><!--
-.pict { max-width: 100%; margin: 1em auto; }
-.pict img { width: 100%; }
-.pict p {
- text-align: center;
- font-style: italic;
- margin-top: .5em;
-}
-.wide { width: 27em; }
-#surveillance {
- width: 63em; max-width: 100%;
- margin: auto;
+.announcement {
+ background: none;
}
#surveillance div.toc {
- width: 24.5em; max-width: 82%;
+ width: 24.5em; max-width: 94%;
margin-bottom: 1em;
}
address@hidden (min-width: 55em) {
address@hidden (min-width: 48em) {
#surveillance div.toc {
float: left;
width: auto; max-width: 48%;
margin: .2em 0 1em;
}
- #surveillance .pict.wide {
- float:right;
+ #surveillance .medium {
width: 43%;
margin: 7em 0 1em 1.5em;
}
}
--></style>
+<!-- GNUN: localize URL /graphics/dog.small.jpg -->
<!--#include virtual="/proprietary/po/proprietary-surveillance.translist" -->
<!--#include virtual="/server/banner.html" -->
<h2>Proprietary Surveillance</h2>
+<p>Nonfree (proprietary) software is very often malware (designed to
+mistreat the user). Nonfree software is controlled by its developers,
+which puts them in a position of power over the users; <a
+href="/philosophy/free-software-even-more-important.html">that is the
+basic injustice</a>. The developers often exercise that power to the
+detriment of the users they ought to serve.</p>
+
<div class="announcement">
<p>This document attempts to
track <strong>clearly established cases of proprietary software that
@@ -43,74 +41,77 @@
<p><a href="/proprietary/proprietary.html">
Other examples of proprietary malware</a></p>
+
+<p>If you know of an example that ought to be in this page but isn't
+here, please write
+to <a href="mailto:address@hidden";><address@hidden></a>
+to inform us. Please include the URL of a trustworthy reference or two
+to present the specifics.</p>
</div>
<div id="surveillance">
-<div class="pict wide">
-<a href="dog.html">
-<img src="dog.small.jpg" alt="Cartoon of a dog, wondering at the 3 ads that
popped up on his computer screen..." /></a>
+<div class="pict medium">
+<a href="/graphics/dog.html">
+<img src="/graphics/dog.small.jpg" alt="Cartoon of a dog, wondering at the
three ads that popped up on his computer screen..." /></a>
<p>“How did they find out I'm a dog?”</p>
</div>
<div class="toc">
- <h3 id="TableOfContents">Table of Contents</h3>
- <ul>
+<h3 id="TableOfContents">Table of Contents</h3>
+<ul>
<li><a href="#Introduction">Introduction</a></li>
- <li><a href="#OSSpyware">Spyware in Operating Systems</a>
+ <li><a href="#OSSpyware">Spyware in Laptops and Desktops</a>
<ul>
- <li><a href="#SpywareInWindows">Spyware in Windows</a></li>
- <li><a href="#SpywareInMacOS">Spyware in MacOS</a></li>
- <li><a href="#SpywareInAndroid">Spyware in Android</a></li>
+ <li><a href="#SpywareInWindows">Windows</a></li>
+ <li><a href="#SpywareInMacOS">MacOS</a></li>
+ <li><a href="#SpywareInBIOS">BIOS</a></li>
</ul>
</li>
- <li><a href="#SpywareOnMobiles">Spyware on Mobiles</a>
+ <li><a href="#SpywareOnMobiles">Spyware in Mobiles</a>
<ul>
- <li><a href="#SpywareIniThings">Spyware in iThings</a></li>
- <li><a href="#SpywareInTelephones">Spyware in Telephones</a></li>
- <li><a href="#SpywareInMobileApps">Spyware in Mobile Applications</a></li>
- <li><a href="#SpywareInGames">Spyware in Games</a></li>
- <li><a href="#SpywareInToys">Spyware in Toys</a></li>
+ <li><a href="#SpywareInPhones">All “Smart” Phones</a></li>
+ <li><a href="#SpywareIniThings">iThings</a></li>
+ <li><a href="#SpywareInTelephones">Android Phones</a></li>
+ <li><a href="#SpywareInElectronicReaders">E-Readers</a></li>
</ul>
</li>
- <li><a href="#SpywareAtLowLevel">Spyware at Low Level</a>
+ <li><a href="#SpywareInApplications">Spyware in Applications</a>
<ul>
- <li><a href="#SpywareInBIOS">Spyware in BIOS</a></li>
- <!-- <li><a href="#SpywareInFirmware">Spyware in Firmware</a></li> -->
+ <li><a href="#SpywareInMobileApps">Mobile Apps</a></li>
+ <li><a href="#SpywareInSkype">Skype</a></li>
+ <li><a href="#SpywareInGames">Games</a></li>
</ul>
</li>
- <li><a href="#SpywareAtWork">Spyware at Work</a>
+ <li><a href="#SpywareInEquipment">Spyware in Connected Equipment</a>
<ul>
- <li><a href="#SpywareInSkype">Spyware in Skype</a></li>
- </ul>
- </li>
- <li><a href="#SpywareOnTheRoad">Spyware on the Road</a>
+ <li><a href="#SpywareInTVSets">TV Sets</a></li>
+ <li><a href="#SpywareInCameras">Cameras</a></li>
+ <li><a href="#SpywareInToys">Toys</a></li>
+ <li><a href="#SpywareAtHome">Other Appliances</a></li>
+ <li><a href="#SpywareOnWearables">Wearables</a>
<ul>
- <li><a href="#SpywareInCameras">Spyware in Cameras</a></li>
- <li><a href="#SpywareInElectronicReaders">Spyware in e-Readers</a></li>
- <li><a href="#SpywareInVehicles">Spyware in Vehicles</a></li>
+ <li><a href="#SpywareOnSmartWatches">“Smart”
Watches</a></li>
</ul>
</li>
- <li><a href="#SpywareAtHome">Spyware at Home</a>
- <ul>
- <li><a href="#SpywareInTVSets">Spyware in TV Sets</a></li>
+ <li><a href="#SpywareInVehicles">Vehicles</a></li>
+ <li><a href="#SpywareInDrones">Drones</a></li>
+ <li><a href="#SpywareInVR">Virtual Reality</a></li>
</ul>
</li>
- <li><a href="#SpywareAtPlay">Spyware at Play</a></li>
- <li><a href="#SpywareOnTheWeb">Spyware on the Web</a>
+ <li><a href="#SpywareOnTheWeb">On the Web</a>
<ul>
- <li><a href="#SpywareInChrome">Spyware in Chrome</a></li>
- <li><a href="#SpywareInFlash">Spyware in Flash</a></li>
+ <li><a href="#SpywareInChrome">Chrome</a></li>
+ <li><a href="#SpywareInJavaScript">JavaScript</a></li>
+ <li><a href="#SpywareInFlash">Flash</a></li>
</ul>
</li>
- <li><a href="#SpywareEverywhere">Spyware Everywhere</a></li>
- </ul>
-</div>
-
+ <li><a href="#SpywareOnMobiles">Spying on Fixed Communications</a></li>
+</ul>
</div>
<div style="clear: left;"></div>
-<!-- #Introduction -->
+</div>
<div class="big-section">
<h3 id="Introduction">Introduction</h3>
@@ -131,759 +132,1601 @@
keyboard, in the mobile computing industry, in the office, at home, in
transportation systems, and in the classroom.</p>
-<h3 id="LatestAdditions">Latest additions</h3>
+<h4 id="AggregateInfoCollection">Aggregate or anonymized data</h4>
+
+<p>Many companies, in their privacy policy, have a clause that claims
+they share aggregate, non-personally identifiable information with
+third parties/partners. Such claims are worthless, for several
+reasons:</p>
+
+<ul>
+ <li>They could change the policy at any time.</li>
+ <li>They can twist the words by distributing an “aggregate” of
+ “anonymized” data which can be reidentified and attributed
to
+ individuals.</li>
+ <li>The raw data they don't normally distribute can be taken by
+ data breaches.</li>
+ <li>The raw data they don't normally distribute can be taken by
+ subpoena.</li>
+</ul>
+
+<p>Therefore, we must not be distracted by companies' statements of
+they will <em>do</em> with the data they collect. The wrong is that
+they collect it at all.</p>
+
+<h4 id="LatestAdditions">Latest additions</h4>
<p>Latest additions are found on top under each category.</p>
-<!-- #OSSpyware -->
-<!-- WEBMASTERS: make sure to place new items on top under each subsection -->
+
<div class="big-section">
- <h3 id="OSSpyware">Spyware in Operating Systems</h3>
+ <h3 id="OSSpyware">Spyware in Laptops and Desktops</h3>
<span class="anchor-reference-id">(<a
href="#OSSpyware">#OSSpyware</a>)</span>
</div>
<div style="clear: left;"></div>
-
<div class="big-subsection">
- <h4 id="SpywareInWindows">Spyware in Windows</h4>
+ <h4 id="SpywareInWindows">Windows</h4>
<span class="anchor-reference-id">(<a
href="#SpywareInWindows">#SpywareInWindows</a>)</span>
</div>
-<ul>
- <li><p><a
href="https://duo.com/blog/bring-your-own-dilemma-oem-laptops-and-windows-10-security";>
- Windows 10 comes with 13 screens of snooping options</a>, all enabled by
default,
- and turning them off would be daunting to most users.</p></li>
-
- <li><p><a
href="https://theintercept.com/2015/12/28/recently-bought-a-windows-computer-microsoft-probably-has-your-encryption-key/";>
- Microsoft has already backdoored its disk encryption</a>.</p></li>
-
- <li>It appears
- <a
href="http://www.ghacks.net/2016/01/05/microsoft-may-be-collecting-more-data-than-initially-thought/";>
+<ul class="blurbs">
+ <li id="M201712110">
+ <p>HP's proprietary operating system <a
+ href="http://www.bbc.com/news/technology-42309371";>includes a
+ proprietary keyboard driver with a key logger in it</a>.</p>
+ </li>
+
+ <li id="M201710134">
+ <p>Windows 10 telemetry program sends information to Microsoft about
+ the user's computer and their use of the computer.</p>
+
+ <p>Furthermore, for users who installed the
+ fourth stable build of Windows 10, called the
+ “Creators Update,” Windows maximized the surveillance <a
+
href="https://arstechnica.com/gadgets/2017/10/dutch-privacy-regulator-says-that-windows-10-breaks-the-law";>
+ by force setting the telemetry mode to “Full”</a>.</p>
+
+ <p>The <a
+
href="https://docs.microsoft.com/en-us/windows/privacy/configure-windows-diagnostic-data-in-your-organization#full-level";>
+ “Full” telemetry mode</a> allows Microsoft Windows
+ engineers to access, among other things, registry keys <a
+ href="https://technet.microsoft.com/en-us/library/cc939702.aspx";>which
+ can contain sensitive information like administrator's login
+ password</a>.</p>
+ </li>
+
+ <li id="M201702020">
+ <p>DRM-restricted files <a
+
href="https://yro.slashdot.org/story/17/02/02/231229/windows-drm-protected-files-used-to-decloak-tor-browser-users";>can
+ be used to identify people browsing through Tor</a>. The vulnerability
+ exists only if you use Windows.</p>
+ </li>
+
+ <li id="M201611240">
+ <p>By default, Windows 10 <a
+
href="http://betanews.com/2016/11/24/microsoft-shares-windows-10-telemetry-data-with-third-parties";>sends
+ debugging information to Microsoft, including core dumps</a>. Microsoft
+ now distributes them to another company.</p>
+ </li>
+
+ <li id="M201608171">
+ <p>In order to increase Windows 10's install base, Microsoft <a
+
href="https://www.eff.org/deeplinks/2016/08/windows-10-microsoft-blatantly-disregards-user-choice-and-privacy-deep-dive";>
+ blatantly disregards user choice and privacy</a>.</p>
+ </li>
+
+ <li id="M201603170">
+ <p><a
+
href="https://duo.com/blog/bring-your-own-dilemma-oem-laptops-and-windows-10-security";>
+ Windows 10 comes with 13 screens of snooping options</a>, all enabled
+ by default, and turning them off would be daunting to most users.</p>
+ </li>
+
+ <li id="M201601050">
+ <p>It appears <a
+
href="http://www.ghacks.net/2016/01/05/microsoft-may-be-collecting-more-data-than-initially-thought/";>
Windows 10 sends data to Microsoft about what applications are
- running</a>.</li>
- <li><p>A downgrade to Windows 10 deleted surveillance-detection
+ running</a>.</p>
+ </li>
+
+ <li id="M201511264">
+ <p>A downgrade to Windows 10 deleted surveillance-detection
applications. Then another downgrade inserted a general spying
- program. Users noticed this and complained, so Microsoft
- renamed it
- <a
-href="https://web.archive.org/web/20160407082751/http://www.theregister.co.uk/2015/11/26/microsoft_renamed_data_slurper_reinserted_windows_10/";>
-to give users the impression it was gone</a>.</p>
+ program. Users noticed this and complained, so Microsoft renamed it <a
+
href="https://www.theregister.co.uk/2015/11/26/microsoft_renamed_data_slurper_reinserted_windows_10/";>
+ to give users the impression it was gone</a>.</p>
<p>To use proprietary software is to invite such treatment.</p>
</li>
- <li><p>
- Windows 10 <a
href="https://web.archive.org/web/20151001035410/https://jonathan.porta.codes/2015/07/30/windows-10-seems-to-have-some-scary-privacy-defaults/";>
- ships with default settings that show no regard for the
- privacy of its users</a>, giving Microsoft the “right”
- to snoop on the users' files, text input, voice input,
- location info, contacts, calendar records and web browsing
- history, as well as automatically connecting the machines to open
- hotspots and showing targeted ads.</p></li>
-
- <li><p>
- <a
href="http://arstechnica.com/information-technology/2015/08/even-when-told-not-to-windows-10-just-cant-stop-talking-to-microsoft/";>
- Windows 10 sends identifiable information to Microsoft</a>, even if a user
- turns off its Bing search and Cortana features, and activates the
- privacy-protection settings.</p></li>
-
- <li><p>
- Microsoft uses Windows 10's “privacy policy” to overtly impose a
- “right” to look at users' files at any time. Windows 10 full disk
- encryption <a
href="https://edri.org/microsofts-new-small-print-how-your-personal-data-abused/";>
+
+ <li id="M201508180">
+ <p><a
+
href="https://web.archive.org/web/20150905163414/http://www.pocket-lint.com/news/134954-cortana-is-always-listening-with-new-wake-on-voice-tech-even-when-windows-10-is-sleeping";>
+ Intel devices will be able to listen for speech all the time, even
+ when “off.”</a></p>
+ </li>
+
+ <li id="M201508130">
+ <p><a
+
href="http://arstechnica.com/information-technology/2015/08/even-when-told-not-to-windows-10-just-cant-stop-talking-to-microsoft/";>
+ Windows 10 sends identifiable information to Microsoft</a>, even if
+ a user turns off its Bing search and Cortana features, and activates
+ the privacy-protection settings.</p>
+ </li>
+
+ <li id="M201507300">
+ <p>Windows 10 <a
+
href="https://jonathan.porta.codes/2015/07/30/windows-10-seems-to-have-some-scary-privacy-defaults/";>
+ ships with default settings that show no regard for the privacy of
+ its users</a>, giving Microsoft the “right” to snoop on
+ the users' files, text input, voice input, location info, contacts,
+ calendar records and web browsing history, as well as automatically
+ connecting the machines to open hotspots and showing targeted ads.</p>
+
+ <p>We can suppose Microsoft look at users' files for the US government
+ on demand, though the “privacy policy” does not explicitly
+ say so. Will it look at users' files for the Chinese government
+ on demand?</p>
+ </li>
+
+ <li id="M201506170">
+ <p>Microsoft uses Windows 10's “privacy policy”
+ to overtly impose a “right” to look at
+ users' files at any time. Windows 10 full disk encryption <a
+
href="https://edri.org/microsofts-new-small-print-how-your-personal-data-abused/";>
gives Microsoft a key</a>.</p>
- <p>Thus, Windows is overt malware in regard to surveillance,
- as in other issues.</p>
+ <p>Thus, Windows is overt malware in regard to surveillance, as in
+ other issues.</p>
- <p>We can suppose Microsoft look at users' files for the US government on
- demand, though the “privacy policy” does not explicit say so.
Will it
- look at users' files for the Chinese government on demand?</p>
+ <p>We can suppose Microsoft look at users' files for the US government
+ on demand, though the “privacy policy” does not explicit
+ say so. Will it look at users' files for the Chinese government
+ on demand?</p>
- <p>The unique “advertising ID” for each user enables other
companies to
- track the browsing of each specific user.</p>
+ <p>The unique “advertising ID” for each user enables
+ other companies to track the browsing of each specific user.</p>
<p>It's as if Microsoft has deliberately chosen to make Windows 10
maximally evil on every dimension; to make a grab for total power
- over anyone that doesn't drop Windows now.</p></li>
+ over anyone that doesn't drop Windows now.</p>
+ </li>
- <li><p>It only gets worse with time.
- <a
href="http://www.techworm.net/2014/10/microsofts-windows-10-permission-watch-every-move.html";>
+ <li id="M201410040">
+ <p>It only gets worse with time. <a
+
href="http://www.techworm.net/2014/10/microsofts-windows-10-permission-watch-every-move.html";>
Windows 10 requires users to give permission for total snooping</a>,
including their files, their commands, their text input, and their
voice input.</p>
</li>
- <li><p><a
href="http://www.infoworld.com/article/2611451/microsoft-windows/a-look-at-the-black-underbelly-of-windows-8-1--blue-.html";>
- Windows 8.1 snoops on local searches.</a>.</p>
+ <li id="M201401150">
+ <p id="baidu-ime"><a
+
href="https://www.techrepublic.com/blog/asian-technology/japanese-government-warns-baidu-ime-is-spying-on-users/";>
+ Baidu's Japanese-input and Chinese-input apps spy on users</a>.</p>
</li>
- <li><p>And there's a
- <a href="http://www.marketoracle.co.uk/Article40836.html";>
- secret NSA key in Windows</a>, whose functions we don't know.</p>
+ <li id="M201307080">
+ <p>Spyware in older versions of Windows: <a
+ href="https://www.theregister.co.uk/2003/02/28/windows_update_keeps_tabs/";>
+ Windows Update snoops on the user</a>. <a
+
href="https://www.infoworld.com/article/2611451/microsoft-windows/a-look-at-the-black-underbelly-of-windows-8-1--blue-.html";>
+ Windows 8.1 snoops on local searches</a>. And there's a <a
+ href="http://www.marketoracle.co.uk/Article40836.html";> secret NSA
+ key in Windows</a>, whose functions we don't know.</p>
</li>
</ul>
+
<p>Microsoft's snooping on users did not start with Windows 10.
There's a lot more <a href="/proprietary/malware-microsoft.html">
Microsoft malware</a>.</p>
<div class="big-subsection">
- <h4 id="SpywareInMacOS">Spyware in MacOS</h4>
+ <h4 id="SpywareInMacOS">MacOS</h4>
<span class="anchor-reference-id">(<a
href="#SpywareInMacOS">#SpywareInMacOS</a>)</span>
</div>
-<ul>
- <li><p><a
href="http://www.washingtonpost.com/blogs/the-switch/wp/2014/10/30/how-one-mans-private-files-ended-up-on-apples-icloud-without-his-consent/";>
- MacOS automatically sends to Apple servers unsaved documents being
- edited</a>. The <a
-
href="https://www.schneier.com/blog/archives/2014/10/apple_copies_yo.html?utm_source=twitterfeed&utm_medium=twitter/";>
- things you have not decided to save are even more sensitive than
- the things you have stored in files</a>.</p>
+<ul class="blurbs">
+ <li id="M201809070">
+ <p>Adware Doctor, an ad blocker for MacOS, <a
+
href="https://motherboard.vice.com/en_us/article/wjye8x/mac-anti-adware-doctor-app-steals-browsing-history";>reports
+ the user's browsing history</a>.</p>
</li>
- <li><p>Apple has made various
- <a
href="http://www.theguardian.com/technology/2014/nov/04/apple-data-privacy-icloud";>
+ <li id="M201411040">
+ <p>Apple has made various <a
+
href="http://www.theguardian.com/technology/2014/nov/04/apple-data-privacy-icloud";>
MacOS programs send files to Apple servers without asking
- permission</a>. This exposes the files to Big Brother and perhaps to
- other snoops.</p>
+ permission</a>. This exposes the files to Big Brother and perhaps
+ to other snoops.</p>
<p>It also demonstrates how you can't trust proprietary software,
- because even if today's version doesn't have a malicious
- functionality, tomorrow's version might add it. The developer won't
- remove the malfeature unless many users push back hard, and the users
- can't remove it themselves.</p>
+ because even if today's version doesn't have a malicious functionality,
+ tomorrow's version might add it. The developer won't remove the
+ malfeature unless many users push back hard, and the users can't
+ remove it themselves.</p>
</li>
- <li><p>Various operations in
- <a
href="http://lifehacker.com/safari-and-spotlight-can-send-data-to-apple-heres-how-1648453540";>
- the latest MacOS send reports to Apple</a> servers.</p>
+ <li id="M201410300">
+ <p><a
+
href="http://www.washingtonpost.com/blogs/the-switch/wp/2014/10/30/how-one-mans-private-files-ended-up-on-apples-icloud-without-his-consent/";>
+ MacOS automatically sends to Apple
+ servers unsaved documents being edited</a>. The <a
+
href="https://www.schneier.com/blog/archives/2014/10/apple_copies_yo.html?utm_source=twitterfeed&utm_medium=twitter/";>
+ things you have not decided to save are even more sensitive than the
+ things you have stored in files</a>.</p>
</li>
- <li><p>Apple admits the
- <a
href="http://www.intego.com/mac-security-blog/spotlight-suggestions-in-os-x-yosemite-and-ios-are-you-staying-private/";>
- spying in a search facility</a>, but there's a lot
- <a href="https://github.com/fix-macosx/yosemite-phone-home";>
- more snooping that Apple has not talked about</a>.</p>
+ <li id="M201410220">
+ <p>Apple admits the <a
+
href="http://www.intego.com/mac-security-blog/spotlight-suggestions-in-os-x-yosemite-and-ios-are-you-staying-private/";>
+ spying in a search facility</a>, but there's a lot <a
+ href="https://github.com/fix-macosx/yosemite-phone-home";> more snooping
+ that Apple has not talked about</a>.</p>
+ </li>
+
+ <li id="M201410200">
+ <p>Various operations in <a
+
href="http://lifehacker.com/safari-and-spotlight-can-send-data-to-apple-heres-how-1648453540";>
+ the latest MacOS send reports to Apple</a> servers.</p>
</li>
- <li><p><a
href="http://finance.yahoo.com/blogs/the-exchange/privacy-advocates-worry-over-new-apple-iphone-tracking-feature-161836223.html";>
+ <li id="M201401101">
+ <p><a
+
href="http://finance.yahoo.com/blogs/the-exchange/privacy-advocates-worry-over-new-apple-iphone-tracking-feature-161836223.html";>
Spotlight search</a> sends users' search terms to Apple.</p>
</li>
</ul>
+
<p>There's a lot more <a href="#SpywareIniThings">iThing spyware</a>, and
<a href="/proprietary/malware-apple.html">Apple malware</a>.</p>
<div class="big-subsection">
- <h4 id="SpywareInAndroid">Spyware in Android</h4>
- <span class="anchor-reference-id">(<a
href="#SpywareInAndroid">#SpywareInAndroid</a>)</span>
+ <a id="SpywareAtLowLevel"></a>
+ <h4 id="SpywareInBIOS">BIOS</h4>
+ <span class="anchor-reference-id">(<a
href="#SpywareInBIOS">#SpywareInBIOS</a>)</span>
</div>
-<ul>
- <li><p>More than 73% of the most popular Android apps
- <a href="http://jots.pub/a/2015103001/index.php";>share personal,
- behavioral and location information</a> of their users with third
parties.</p>
- </li>
-
- <li><p>“Cryptic communication,” unrelated to the app's
functionality,
- was <a
href="http://news.mit.edu/2015/data-transferred-android-apps-hiding-1119";>
- found in the 500 most popular gratis Android apps</a>.</p>
-
- <p>The article should not have described these apps as
- “free”—they are not free software. The clear way to say
- “zero price” is “gratis.”</p>
-
- <p>The article takes for granted that the usual analytics tools are
- legitimate, but is that valid? Software developers have no right to
- analyze what users are doing or how. “Analytics” tools that
snoop are
- just as wrong as any other snooping.</p>
- </li>
- <li><p>Gratis Android apps (but not <a href="/philosophy/free-sw.html">free
software</a>)
- connect to 100
- <a
href="http://www.theguardian.com/technology/2015/may/06/free-android-apps-connect-tracking-advertising-websites";>tracking
and advertising</a> URLs,
- on the average.</p>
- </li>
- <li><p>Spyware is present in some Android devices when they are sold.
- Some Motorola phones modify Android to
- <a
href="http://www.beneaththewaves.net/Projects/Motorola_Is_Listening.html";>
- send personal data to Motorola</a>.</p>
- </li>
-
- <li><p>Some manufacturers add a
- <a
href="http://androidsecuritytest.com/features/logs-and-services/loggers/carrieriq/";>
- hidden general surveillance package such as Carrier IQ.</a></p>
- </li>
-
- <li><p><a href="/proprietary/proprietary-back-doors.html#samsung">
- Samsung's back door</a> provides access to any file on the system.</p>
+<ul class="blurbs">
+ <li id="M201509220">
+ <p><a
+
href="http://www.computerworld.com/article/2984889/windows-pcs/lenovo-collects-usage-data-on-thinkpad-thinkcentre-and-thinkstation-pcs.html";>
+ Lenovo stealthily installed crapware and spyware via
+ BIOS</a> on Windows installs. Note that the specific
+ sabotage method Lenovo used did not affect GNU/Linux; also, a
+ “clean” Windows install is not really clean since <a
+ href="/proprietary/malware-microsoft.html">Microsoft puts in its
+ own malware</a>.</p>
</li>
</ul>
-<!-- #SpywareOnMobiles -->
-<!-- WEBMASTERS: make sure to place new items on top under each subsection -->
-
<div class="big-section">
- <h3 id="SpywareOnMobiles">Spyware on Mobiles</h3>
+ <h3 id="SpywareOnMobiles">Spyware in Mobiles</h3>
<span class="anchor-reference-id">(<a
href="#SpywareOnMobiles">#SpywareOnMobiles</a>)</span>
</div>
<div style="clear: left;"></div>
-
<div class="big-subsection">
- <h4 id="SpywareIniThings">Spyware in iThings</h4>
- <span class="anchor-reference-id">(<a
href="#SpywareIniThings">#SpywareIniThings</a>)</span>
+ <h4 id="SpywareInTelephones">All “Smart” Phones</h4>
+ <span class="anchor-reference-id">(<a
href="#SpywareInTelephones">#SpywareInTelephones</a>)</span>
</div>
-<ul>
- <li><p>Users cannot make an Apple ID <a
href="http://apple.stackexchange.com/questions/49951/how-can-i-download-free-apps-without-registering-an-apple-idcool";>(necessary
to install even gratis apps)</a>
- without giving a valid email address and receiving the code Apple
- sends to it.</p>
+<ul class="blurbs">
+ <li id="M201601110">
+ <p>The natural extension of monitoring
+ people through “their” phones is <a
+
href="http://www.northwestern.edu/newscenter/stories/2016/01/fool-activity-tracker.html";>
+ proprietary software to make sure they can't “fool”
+ the monitoring</a>.</p>
</li>
- <li><p>Around 47% of the most popular iOS apps
- <a href="http://jots.pub/a/2015103001/index.php";>share personal,
- behavioral and location information</a> of their users with third
parties.</p>
+ <li id="M201510050">
+ <p>According to Edward Snowden, <a
+ href="http://www.bbc.com/news/uk-34444233";>agencies can take over
+ smartphones</a> by sending hidden text messages which enable
+ them to turn the phones on and off, listen to the microphone,
+ retrieve geo-location data from the GPS, take photographs, read
+ text messages, read call, location and web browsing history, and
+ read the contact list. This malware is designed to disguise itself
+ from investigation.</p>
+ </li>
+
+ <li id="M201311120">
+ <p><a
+
href="https://web.archive.org/web/20180816030205/http://www.spiegel.de/international/world/privacy-scandal-nsa-can-spy-on-smart-phone-data-a-920971.html";>
+ The NSA can tap data in smart phones, including iPhones,
+ Android, and BlackBerry</a>. While there is not much
+ detail here, it seems that this does not operate via
+ the universal back door that we know nearly all portable
+ phones have. It may involve exploiting various bugs. There are <a
+
href="http://www.osnews.com/story/27416/The_second_operating_system_hiding_in_every_mobile_phone";>
+ lots of bugs in the phones' radio software</a>.</p>
+ </li>
+
+ <li id="M201307000">
+ <p>Portable phones with GPS <a
+
href="http://www.aclu.org/government-location-tracking-cell-phones-gps-devices-and-license-plate-readers";>will
+ send their GPS location on remote command</a>, and users cannot stop
+ them. (The US says it will eventually require all new portable phones
+ to have GPS.)</p>
</li>
+</ul>
+
- <li><p>iThings automatically upload to Apple's servers all the photos and
- videos they make.</p>
+<div class="big-subsection">
+ <h4 id="SpywareIniThings">iThings</h4>
+ <span class="anchor-reference-id">(<a
href="#SpywareIniThings">#SpywareIniThings</a>)</span>
+</div>
- <blockquote><p>
- iCloud Photo Library stores every photo and video you take,
- and keeps them up to date on all your devices.
- Any edits you make are automatically updated everywhere. [...]
- </p></blockquote>
+<ul class="blurbs">
+ <li id="M201711250">
+ <p>The DMCA and the EU Copyright Directive make it <a
+ href="https://boingboing.net/2017/11/25/la-la-la-cant-hear-you.html";>
+ illegal to study how iOS cr…apps spy on users</a>, because
+ this would require circumventing the iOS DRM.</p>
+ </li>
+
+ <li id="M201709210">
+ <p>In the latest iThings system,
+ “turning off” WiFi and Bluetooth the obvious way <a
+
href="https://www.theguardian.com/technology/2017/sep/21/ios-11-apple-toggling-wifi-bluetooth-control-centre-doesnt-turn-them-off";>
+ doesn't really turn them off</a>. A more advanced way really does turn
+ them off—only until 5am. That's Apple for you—“We
+ know you want to be spied on”.</p>
+ </li>
+
+ <li id="M201702150">
+ <p>Apple proposes <a
+
href="https://www.theguardian.com/technology/2017/feb/15/apple-removing-iphone-home-button-fingerprint-scanning-screen";>a
+ fingerprint-scanning touch screen</a>—which would mean no way
+ to use it without having your fingerprints taken. Users would have
+ no way to tell whether the phone is snooping on them.</p>
+ </li>
+
+ <li id="M201611170">
+ <p>iPhones <a
+
href="https://theintercept.com/2016/11/17/iphones-secretly-send-call-history-to-apple-security-firm-says/";>send
+ lots of personal data to Apple's servers</a>. Big Brother can get
+ them from there.</p>
+ </li>
+
+ <li id="M201609280">
+ <p>The iMessage app on iThings <a
+
href="https://theintercept.com/2016/09/28/apple-logs-your-imessage-contacts-and-may-share-them-with-police/";>tells
+ a server every phone number that the user types into it</a>; the
+ server records these numbers for at least 30 days.</p>
+ </li>
+
+ <li id="M201509240">
+ <p>iThings automatically upload to Apple's servers all the photos
+ and videos they make.</p>
+
+ <p> iCloud Photo Library stores every photo and video you take,
+ and keeps them up to date on all your devices. Any edits you make
+ are automatically updated everywhere. […]</p>
<p>(From <a href="https://www.apple.com/icloud/photos/";>Apple's iCloud
information</a> as accessed on 24 Sep 2015.) The iCloud feature is
<a href="https://support.apple.com/en-us/HT202033";>activated by the
- startup of iOS</a>. The term “cloud” means
- “please don't ask where.”</p>
+ startup of iOS</a>. The term “cloud” means “please
+ don't ask where.”</p>
- <p>There is a way to <a href="https://support.apple.com/en-us/HT201104";>
- deactivate iCloud</a>, but it's active by default so it still counts as a
+ <p>There is a way to
+ <a href="https://support.apple.com/en-us/HT201104";> deactivate
+ iCloud</a>, but it's active by default so it still counts as a
surveillance functionality.</p>
- <p>Unknown people apparently took advantage of this to
- <a
href="https://www.theguardian.com/technology/2014/sep/01/naked-celebrity-hack-icloud-backup-jennifer-lawrence";>get
+ <p>Unknown people apparently took advantage of this to <a
+
href="https://www.theguardian.com/technology/2014/sep/01/naked-celebrity-hack-icloud-backup-jennifer-lawrence";>get
nude photos of many celebrities</a>. They needed to break Apple's
- security to get at them, but NSA can access any of them through
- <a
href="/philosophy/surveillance-vs-democracy.html#digitalcash">PRISM</a>.
- </p></li>
+ security to get at them, but NSA can access any of them through <a
+
href="/philosophy/surveillance-vs-democracy.html#digitalcash">PRISM</a>.</p>
+ </li>
- <li><p>Spyware in iThings:
- the <a
href="http://finance.yahoo.com/blogs/the-exchange/privacy-advocates-worry-over-new-apple-iphone-tracking-feature-161836223.html";>
- iBeacon</a> lets stores determine exactly where the iThing is,
- and get other info too.</p>
+ <li id="M201409220">
+ <p>Apple can, and regularly does, <a
+
href="http://arstechnica.com/apple/2014/05/new-guidelines-outline-what-iphone-data-apple-can-give-to-police/";>
+ remotely extract some data from iPhones for the state</a>.</p>
+
+ <p>This may have improved with <a
+
href="http://www.washingtonpost.com/business/technology/2014/09/17/2612af58-3ed2-11e4-b03f-de718edeb92f_story.html";>
+ iOS 8 security improvements</a>; but <a
+ href="https://firstlook.org/theintercept/2014/09/22/apple-data/";>
+ not as much as Apple claims</a>.</p>
</li>
- <li><p>There is also a feature for web sites to track users, which is
- <a
href="http://nakedsecurity.sophos.com/2012/10/17/how-to-disable-apple-ios-user-tracking-ios-6/";>
- enabled by default</a>. (That article talks about iOS 6, but it
- is still true in iOS 7.)</p>
+ <li id="M201407230">
+ <p><a
+
href="http://www.theguardian.com/technology/2014/jul/23/iphone-backdoors-surveillance-forensic-services";>
+ Several “features” of iOS seem to exist
+ for no possible purpose other than surveillance</a>. Here is the <a
+
href="http://www.zdziarski.com/blog/wp-content/uploads/2014/07/iOS_Backdoors_Attack_Points_Surveillance_Mechanisms_Moved.pdf";>
+ Technical presentation</a>.</p>
</li>
- <li><p>The iThing also
- <a
-href="https://web.archive.org/web/20160313215042/http://www.theregister.co.uk/2013/08/08/ios7_tracking_now_its_a_favourite_feature/";>
+ <li id="M201401100">
+ <p>The <a class="not-a-duplicate"
+
href="http://finance.yahoo.com/blogs/the-exchange/privacy-advocates-worry-over-new-apple-iphone-tracking-feature-161836223.html";>
+ iBeacon</a> lets stores determine exactly where the iThing is, and
+ get other info too.</p>
+ </li>
+
+ <li id="M201312300">
+ <p><a
+
href="http://www.zerohedge.com/news/2013-12-30/how-nsa-hacks-your-iphone-presenting-dropout-jeep";>
+ Either Apple helps the NSA snoop on all the data in an iThing, or it
+ is totally incompetent</a>.</p>
+ </li>
+
+ <li id="M201308080">
+ <p>The iThing also <a
+
href="https://www.theregister.co.uk/2013/08/08/ios7_tracking_now_its_a_favourite_feature/";>
tells Apple its geolocation</a> by default, though that can be
turned off.</p>
</li>
- <li><p>Apple can, and regularly does,
- <a
href="http://arstechnica.com/apple/2014/05/new-guidelines-outline-what-iphone-data-apple-can-give-to-police/";>
- remotely extract some data from iPhones for the state</a>.</p>
+ <li id="M201210170">
+ <p>There is also a feature for web sites to track users, which is <a
+
href="http://nakedsecurity.sophos.com/2012/10/17/how-to-disable-apple-ios-user-tracking-ios-6/";>
+ enabled by default</a>. (That article talks about iOS 6, but it is
+ still true in iOS 7.)</p>
</li>
- <li><p><a
href="http://www.zerohedge.com/news/2013-12-30/how-nsa-hacks-your-iphone-presenting-dropout-jeep";>
- Either Apple helps the NSA snoop on all the data in an iThing,
- or it is totally incompetent.</a></p>
- </li>
-
- <li><p><a
href="http://www.theguardian.com/technology/2014/jul/23/iphone-backdoors-surveillance-forensic-services";>
- Several “features” of iOS seem to exist for no
- possible purpose other than surveillance</a>. Here is the
- <a
href="http://www.zdziarski.com/blog/wp-content/uploads/2014/07/iOS_Backdoors_Attack_Points_Surveillance_Mechanisms_Moved.pdf";>
- Technical presentation</a>.</p>
+ <li id="M201204280">
+ <p>Users cannot make an Apple ID (<a
+
href="https://apple.stackexchange.com/questions/49951/how-can-i-download-free-apps-without-registering-an-apple-id";>necessary
+ to install even gratis apps</a>) without giving a valid email address
+ and receiving the code Apple sends to it.</p>
</li>
</ul>
<div class="big-subsection">
- <h4 id="SpywareInTelephones">Spyware in Telephones</h4>
- <span class="anchor-reference-id">(<a
href="#SpywareInTelephones">#SpywareInTelephones</a>)</span>
+ <h4 id="SpywareInAndroid">Android Telephones</h4>
+ <span class="anchor-reference-id">(<a
href="#SpywareInAndroid">#SpywareInAndroid</a>)</span>
</div>
-<ul>
- <li><p>According to Edward Snowden,
- <a href="http://www.bbc.com/news/uk-34444233";>agencies can take over
smartphones</a>
- by sending hidden text messages which enable them to turn the phones
- on and off, listen to the microphone, retrieve geo-location data from the
- GPS, take photographs, read text messages, read call, location and web
- browsing history, and read the contact list. This malware is designed to
- disguise itself from investigation.</p>
- </li>
-
- <li><p>Samsung phones come with
- <a
href="http://arstechnica.com/gadgets/2015/07/samsung-sued-for-loading-devices-with-unremovable-crapware-in-china/";>apps
that users can't delete</a>,
- and they send so much data that their transmission is a
- substantial expense for users. Said transmission, not wanted or
- requested by the user, clearly must constitute spying of some
- kind.</p></li>
+<ul class="blurbs">
+ <li id="M201711210">
+ <p>Android tracks location for Google <a
+
href="https://www.techdirt.com/articles/20171121/09030238658/investigation-finds-google-collected-location-data-even-with-location-services-turned-off.shtml";>
+ even when “location services” are turned off, even when
+ the phone has no SIM card</a>.</p>
+ </li>
+
+ <li id="M201611150">
+ <p>Some portable phones <a
+
href="http://www.prnewswire.com/news-releases/kryptowire-discovered-mobile-phone-firmware-that-transmitted-personally-identifiable-information-pii-without-user-consent-or-disclosure-300362844.html";>are
+ sold with spyware sending lots of data to China</a>.</p>
+ </li>
+
+ <li id="M201609140">
+ <p>Google Play (a component of Android) <a
+
href="https://www.extremetech.com/mobile/235594-yes-google-play-is-tracking-you-and-thats-just-the-tip-of-a-very-large-iceberg";>
+ tracks the users' movements without their permission</a>.</p>
+
+ <p>Even if you disable Google Maps and location tracking, you must
+ disable Google Play itself to completely stop the tracking. This is
+ yet another example of nonfree software pretending to obey the user,
+ when it's actually doing something else. Such a thing would be almost
+ unthinkable with free software.</p>
+ </li>
+
+ <li id="M201507030">
+ <p>Samsung phones come with <a
+
href="http://arstechnica.com/gadgets/2015/07/samsung-sued-for-loading-devices-with-unremovable-crapware-in-china/";>apps
+ that users can't delete</a>, and they send so much data that their
+ transmission is a substantial expense for users. Said transmission,
+ not wanted or requested by the user, clearly must constitute spying
+ of some kind.</p>
+ </li>
+
+ <li id="M201403120">
+ <p><a href="/proprietary/proprietary-back-doors.html#samsung">
+ Samsung's back door</a> provides access to any file on the system.</p>
+ </li>
+
+ <li id="M201308010">
+ <p>Spyware in Android phones (and Windows? laptops): The Wall Street
+ Journal (in an article blocked from us by a paywall) reports that <a
+
href="http://www.theverge.com/2013/8/1/4580718/fbi-can-remotely-activate-android-and-laptop-microphones-reports-wsj";>
+ the FBI can remotely activate the GPS and microphone in Android phones
+ and laptops</a>. (I suspect this means Windows laptops.) Here is <a
+ href="http://cryptome.org/2013/08/fbi-hackers.htm";>more info</a>.</p>
+ </li>
+
+ <li id="M201307280">
+ <p>Spyware is present in some Android devices when
+ they are sold. Some Motorola phones modify Android to <a
+ href="http://www.beneaththewaves.net/Projects/Motorola_Is_Listening.html";>
+ send personal data to Motorola</a>.</p>
+ </li>
- <li><p>A Motorola phone
- <a
href="https://www.motorola.com/us/X8-Mobile-Computing-System/x8-mobile-computing-system.html";>
+ <li id="M201307250">
+ <p>A Motorola phone <a
+
href="http://www.itproportal.com/2013/07/25/motorolas-new-x8-arm-chip-underpinning-the-always-on-future-of-android/";>
listens for voice all the time</a>.</p>
</li>
- <li><p>Spyware in Android phones (and Windows? laptops): The Wall
- Street Journal (in an article blocked from us by a paywall)
- reports that
- <a
href="http://www.theverge.com/2013/8/1/4580718/fbi-can-remotely-activate-android-and-laptop-microphones-reports-wsj";>
- the FBI can remotely activate the GPS and microphone in Android
- phones and laptops</a>.
- (I suspect this means Windows laptops.) Here is
- <a href="http://cryptome.org/2013/08/fbi-hackers.htm";>more info</a>.</p>
+ <li id="M201302150">
+ <p>Google Play intentionally sends app developers <a
+
href="http://gadgets.ndtv.com/apps/news/google-play-store-policy-raises-privacy-concerns-331116";>
+ the personal details of users that install the app</a>.</p>
+
+ <p>Merely asking the “consent” of users is not enough to
+ legitimize actions like this. At this point, most users have stopped
+ reading the “Terms and Conditions” that spell out what
+ they are “consenting” to. Google should clearly and
+ honestly identify the information it collects on users, instead of
+ hiding it in an obscurely worded EULA.</p>
+
+ <p>However, to truly protect people's privacy, we must prevent Google
+ and other companies from getting this personal information in the
+ first place!</p>
+ </li>
+
+ <li id="M201111170">
+ <p>Some manufacturers add a <a
+
href="http://androidsecuritytest.com/features/logs-and-services/loggers/carrieriq/";>
+ hidden general surveillance package such as Carrier IQ</a>.</p>
</li>
+</ul>
- <li><p>Portable phones with GPS will send their GPS location on
- remote command and users cannot stop them:
- <a
href="http://www.aclu.org/government-location-tracking-cell-phones-gps-devices-and-license-plate-readers";>
-
http://www.aclu.org/government-location-tracking-cell-phones-gps-devices-and-license-plate-readers</a>.
- (The US says it will eventually require all new portable phones
- to have GPS.)</p>
+
+<div class="big-subsection">
+ <h4 id="SpywareInElectronicReaders">E-Readers</h4>
+ <span class="anchor-reference-id">(<a
href="#SpywareInElectronicReaders">#SpywareInElectronicReaders</a>)</span>
+</div>
+
+<ul class="blurbs">
+ <li id="M201603080">
+ <p>E-books can contain JavaScript code, and <a
+
href="http://www.theguardian.com/books/2016/mar/08/men-make-up-their-minds-about-books-faster-than-women-study-finds";>sometimes
+ this code snoops on readers</a>.</p>
</li>
- <li><p>The nonfree Snapchat app's principal purpose is to restrict
- the use of data on the user's computer, but it does surveillance
- too: <a
href="http://www.theguardian.com/media/2013/dec/27/snapchat-may-be-exposed-hackers";>
- it tries to get the user's list of other people's phone
- numbers.</a></p>
+ <li id="M201410080">
+ <p>Adobe made “Digital Editions,”
+ the e-reader used by most US libraries, <a
+
href="http://www.computerworlduk.com/blogs/open-enterprise/drm-strikes-again-3575860/";>
+ send lots of data to Adobe</a>. Adobe's “excuse”: it's
+ needed to check DRM!</p>
+ </li>
+
+ <li id="M201212031">
+ <p>The Electronic Frontier Foundation has examined and found <a
+ href="https://www.eff.org/pages/reader-privacy-chart-2012";>various
+ kinds of surveillance in the Swindle and other e-readers</a>.</p>
+ </li>
+
+ <li id="M201212030">
+ <p>Spyware in many e-readers—not only the Kindle: <a
+ href="https://www.eff.org/pages/reader-privacy-chart-2012";> they
+ report even which page the user reads at what time</a>.</p>
</li>
</ul>
+
+<div class="big-section">
+ <h3 id="SpywareInApplications">Spyware in Applications</h3>
+ <span class="anchor-reference-id">(<a
href="#SpywareInApplications">#SpywareInApplications</a>)</span>
+</div>
+<div style="clear: left;"></div>
+
<div class="big-subsection">
- <h4 id="SpywareInMobileApps">Spyware in Mobile Applications</h4>
+ <h4 id="SpywareInMobileApps">Mobile Apps</h4>
<span class="anchor-reference-id">(<a
href="#SpywareInMobileApps">#SpywareInMobileApps</a>)</span>
</div>
-<ul>
- <li><p>Apps that include
- <a
href="http://techaeris.com/2016/01/13/symphony-advanced-media-software-tracks-your-digital-life-through-your-smartphone-mic/";>
+<ul class="blurbs">
+ <li id="M201808030">
+ <p>Some Google apps on Android <a
+
href="https://www.theguardian.com/technology/2018/aug/13/google-location-tracking-android-iphone-mobile";>
+ record the user's location even when users disable “location
+ tracking”</a>.</p>
+
+ <p>There are other ways to turn off the other kinds of location
+ tracking, but most users will be tricked by the misleading control.</p>
+ </li>
+
+ <li id="M201806110">
+ <p>The Spanish football streaming app <a
+
href="https://boingboing.net/2018/06/11/spanish-football-app-turns-use.html";>tracks
+ the user's movements and listens through the microphone</a>.</p>
+
+ <p>This makes them act as spies for licensing enforcement.</p>
+
+ <p>I expect it implements DRM, too—that there is no way to save
+ a recording. But I can't be sure from the article.</p>
+
+ <p>If you learn to care much less about sports, you will benefit in
+ many ways. This is one more.</p>
+ </li>
+
+ <li id="M201804160">
+ <p>More than <a
+
href="https://www.theguardian.com/technology/2018/apr/16/child-apps-games-android-us-google-play-store-data-sharing-law-privacy";>50%
+ of the 5,855 Android apps studied by researchers were found to snoop
+ and collect information about its users</a>. 40% of the apps were
+ found to insecurely snitch on its users. Furthermore, they could
+ detect only some methods of snooping, in these proprietary apps whose
+ source code they cannot look at. The other apps might be snooping
+ in other ways.</p>
+
+ <p>This is evidence that proprietary apps generally work against
+ their users. To protect their privacy and freedom, Android users
+ need to get rid of the proprietary software—both proprietary
+ Android by <a href="https://replicant.us";>switching to Replicant</a>,
+ and the proprietary apps by getting apps from the free software
+ only <a href="https://f-droid.org/";>F-Droid store</a> that <a
+ href="https://f-droid.org/wiki/page/Antifeatures";> prominently warns
+ the user if an app contains anti-features</a>.</p>
+ </li>
+
+ <li id="M201804020">
+ <p>Grindr collects information about <a
+
href="https://www.commondreams.org/news/2018/04/02/egregious-breach-privacy-popular-app-grindr-supplies-third-parties-users-hiv-status";>
+ which users are HIV-positive, then provides the information to
+ companies</a>.</p>
+
+ <p>Grindr should not have so much information about its users.
+ It could be designed so that users communicate such info to each
+ other but not to the server's database.</p>
+ </li>
+
+ <li id="M201803050">
+ <p>The moviepass app and dis-service
+ spy on users even more than users expected. It <a
+
href="https://techcrunch.com/2018/03/05/moviepass-ceo-proudly-says-the-app-tracks-your-location-before-and-after-movies/";>records
+ where they travel before and after going to a movie</a>.</p>
+
+ <p>Don't be tracked—pay cash!</p>
+ </li>
+
+ <li id="M201711240">
+ <p>Tracking software in popular Android apps
+ is pervasive and sometimes very clever. Some trackers can <a
+
href="https://theintercept.com/2017/11/24/staggering-variety-of-clandestine-trackers-found-in-popular-android-apps/";>
+ follow a user's movements around a physical store by noticing WiFi
+ networks</a>.</p>
+ </li>
+
+ <li id="M201708270">
+ <p>The Sarahah app <a
+
href="https://theintercept.com/2017/08/27/hit-app-sarahah-quietly-uploads-your-address-book/";>
+ uploads all phone numbers and email addresses</a> in user's address
+ book to developer's server. Note that this article misuses the words
+ “<a href="/philosophy/free-sw.html">free software</a>”
+ referring to zero price.</p>
+ </li>
+
+ <li id="M201707270">
+ <p>20 dishonest Android apps recorded <a
+
href="https://arstechnica.com/information-technology/2017/07/stealthy-google-play-apps-recorded-calls-and-stole-e-mails-and-texts";>phone
+ calls and sent them and text messages and emails to snoopers</a>.</p>
+
+ <p>Google did not intend to make these apps spy; on the contrary, it
+ worked in various ways to prevent that, and deleted these apps after
+ discovering what they did. So we cannot blame Google specifically
+ for the snooping of these apps.</p>
+
+ <p>On the other hand, Google redistributes nonfree Android apps, and
+ therefore shares in the responsibility for the injustice of their being
+ nonfree. It also distributes its own nonfree apps, such as Google Play,
+ <a href="/philosophy/free-software-even-more-important.html">which
+ are malicious</a>.</p>
+
+ <p>Could Google have done a better job of preventing apps from
+ cheating? There is no systematic way for Google, or Android users,
+ to inspect executable proprietary apps to see what they do.</p>
+
+ <p>Google could demand the source code for these apps, and study
+ the source code somehow to determine whether they mistreat users in
+ various ways. If it did a good job of this, it could more or less
+ prevent such snooping, except when the app developers are clever
+ enough to outsmart the checking.</p>
+
+ <p>But since Google itself develops malicious apps, we cannot trust
+ Google to protect us. We must demand release of source code to the
+ public, so we can depend on each other.</p>
+ </li>
+
+ <li id="M201705230">
+ <p>Apps for BART <a
+
href="https://consumerist.com/2017/05/23/passengers-say-commuter-rail-app-illegally-collects-personal-user-data/";>snoop
+ on users</a>.</p>
+
+ <p>With free software apps, users could <em>make sure</em> that they
+ don't snoop.</p>
+
+ <p>With proprietary apps, one can only hope that they don't.</p>
+ </li>
+
+ <li id="M201705040">
+ <p>A study found 234 Android apps that track users by <a
+
href="https://www.bleepingcomputer.com/news/security/234-android-applications-are-currently-using-ultrasonic-beacons-to-track-users/";>listening
+ to ultrasound from beacons placed in stores or played by TV
+ programs</a>.</p>
+ </li>
+
+ <li id="M201704260">
+ <p>Faceapp appears to do lots of surveillance, judging by <a
+
href="https://www.washingtonpost.com/news/the-intersect/wp/2017/04/26/everything-thats-wrong-with-faceapp-the-latest-creepy-photo-app-for-your-face/";>
+ how much access it demands to personal data in the device</a>.</p>
+ </li>
+
+ <li id="M201704190">
+ <p>Users are suing Bose for <a
+
href="https://www.washingtonpost.com/news/the-switch/wp/2017/04/19/bose-headphones-have-been-spying-on-their-customers-lawsuit-claims/";>
+ distributing a spyware app for its headphones</a>. Specifically,
+ the app would record the names of the audio files users listen to
+ along with the headphone's unique serial number.</p>
+
+ <p>The suit accuses that this was done without the users' consent.
+ If the fine print of the app said that users gave consent for this,
+ would that make it acceptable? No way! It should be flat out <a
+ href="/philosophy/surveillance-vs-democracy.html"> illegal to design
+ the app to snoop at all</a>.</p>
+ </li>
+
+ <li id="M201704074">
+ <p>Pairs of Android apps can collude
+ to transmit users' personal data to servers. <a
+
href="https://www.theatlantic.com/technology/archive/2017/04/when-apps-collude-to-steal-your-data/522177/";>A
+ study found tens of thousands of pairs that collude</a>.</p>
+ </li>
+
+ <li id="M201703300">
+ <p>Verizon <a
+
href="https://yro.slashdot.org/story/17/03/30/0112259/verizon-to-force-appflash-spyware-on-android-phones";>
+ announced an opt-in proprietary search app that it will</a> pre-install
+ on some of its phones. The app will give Verizon the same information
+ about the users' searches that Google normally gets when they use
+ its search engine.</p>
+
+ <p>Currently, the app is <a
+
href="https://www.eff.org/deeplinks/2017/04/update-verizons-appflash-pre-installed-spyware-still-spyware";>
+ being pre-installed on only one phone</a>, and the user must
+ explicitly opt-in before the app takes effect. However, the app
+ remains spyware—an “optional” piece of spyware is
+ still spyware.</p>
+ </li>
+
+ <li id="M201701210">
+ <p>The Meitu photo-editing app <a
+
href="https://theintercept.com/2017/01/21/popular-selfie-app-sending-user-data-to-china-researchers-say/";>sends
+ user data to a Chinese company</a>.</p>
+ </li>
+
+ <li id="M201611280">
+ <p>The Uber app tracks <a
+
href="https://techcrunch.com/2016/11/28/uber-background-location-data-collection/";>clients'
+ movements before and after the ride</a>.</p>
+
+ <p>This example illustrates how “getting the user's
+ consent” for surveillance is inadequate as a protection against
+ massive surveillance.</p>
+ </li>
+
+ <li id="M201611160">
+ <p>A <a
+
href="https://research.csiro.au/ng/wp-content/uploads/sites/106/2016/08/paper-1.pdf";>
+ research paper</a> that investigated the privacy and security of
+ 283 Android VPN apps concluded that “in spite of the promises
+ for privacy, security, and anonymity given by the majority of VPN
+ apps—millions of users may be unawarely subject to poor security
+ guarantees and abusive practices inflicted by VPN apps.”</p>
+
+ <p>Following is a non-exhaustive list of proprietary VPN apps from
+ the research paper that tracks and infringes the privacy of users:</p>
+
+ <dl>
+ <dt>SurfEasy</dt>
+ <dd>Includes tracking libraries such as NativeX and Appflood,
+ meant to track users and show them targeted ads.</dd>
+
+ <dt>sFly Network Booster</dt>
+ <dd>Requests the <code>READ_SMS</code> and <code>SEND_SMS</code>
+ permissions upon installation, meaning it has full access to users'
+ text messages.</dd>
+
+ <dt>DroidVPN and TigerVPN</dt>
+ <dd>Requests the <code>READ_LOGS</code> permission to read logs
+ for other apps and also core system logs. TigerVPN developers have
+ confirmed this.</dd>
+
+ <dt>HideMyAss</dt>
+ <dd>Sends traffic to LinkedIn. Also, it stores detailed logs and
+ may turn them over to the UK government if requested.</dd>
+
+ <dt>VPN Services HotspotShield</dt>
+ <dd>Injects JavaScript code into the HTML pages returned to the
+ users. The stated purpose of the JS injection is to display ads. Uses
+ roughly 5 tracking libraries. Also, it redirects the user's traffic
+ through valueclick.com (an advertising website).</dd>
+
+ <dt>WiFi Protector VPN</dt>
+ <dd>Injects JavaScript code into HTML pages, and also uses roughly
+ 5 tracking libraries. Developers of this app have confirmed that
+ the non-premium version of the app does JavaScript injection for
+ tracking and display ads.</dd>
+ </dl>
+ </li>
+
+ <li id="M201609210">
+ <p>Google's new voice messaging app <a
+
href="http://www.theverge.com/2016/9/21/12994362/allo-privacy-message-logs-google";>logs
+ all conversations</a>.</p>
+ </li>
+
+ <li id="M201606050">
+ <p>Facebook's new Magic Photo app <a
+
href="https://www.theregister.co.uk/2015/11/10/facebook_scans_camera_for_your_friends/";>
+ scans your mobile phone's photo collections for known faces</a>,
+ and suggests you to share the picture you take according to who is
+ in the frame.</p>
+
+ <p>This spyware feature seems to require online access to some
+ known-faces database, which means the pictures are likely to be
+ sent across the wire to Facebook's servers and face-recognition
+ algorithms.</p>
+
+ <p>If so, none of Facebook users' pictures are private anymore,
+ even if the user didn't “upload” them to the service.</p>
+ </li>
+
+ <li id="M201605310">
+ <p>Facebook's app listens all the time, <a
+
href="http://www.independent.co.uk/life-style/gadgets-and-tech/news/facebook-using-people-s-phones-to-listen-in-on-what-they-re-saying-claims-professor-a7057526.html";>to
+ snoop on what people are listening to or watching</a>. In addition,
+ it may be analyzing people's conversations to serve them with targeted
+ advertisements.</p>
+ </li>
+
+ <li id="M201604250">
+ <p>A pregnancy test controller application not only can <a
+
href="http://www.theverge.com/2016/4/25/11503718/first-response-pregnancy-pro-test-bluetooth-app-security";>spy
+ on many sorts of data in the phone, and in server accounts, it can
+ alter them too</a>.</p>
+ </li>
+
+ <li id="M201601130">
+ <p>Apps that include <a
+
href="http://techaeris.com/2016/01/13/symphony-advanced-media-software-tracks-your-digital-life-through-your-smartphone-mic/";>
Symphony surveillance software snoop on what radio and TV programs
are playing nearby</a>. Also on what users post on various sites
such as Facebook, Google+ and Twitter.</p>
</li>
- <li><p>Facebook's new Magic Photo app
- <a
-href="https://web.archive.org/web/20160605165148/http://www.theregister.co.uk/2015/11/10/facebook_scans_camera_for_your_friends/";>
-scans your mobile phone's photo collections for known faces</a>,
- and suggests you to share the picture you take according to who
- is in the frame.</p>
+ <li id="M201511190">
+ <p>“Cryptic communication,”
+ unrelated to the app's functionality, was <a
+ href="http://news.mit.edu/2015/data-transferred-android-apps-hiding-1119";>
+ found in the 500 most popular gratis Android apps</a>.</p>
- <p>This spyware feature seems to require online access to some
- known-faces database, which means the pictures are likely to be
- sent across the wire to Facebook's servers and face-recognition
- algorithms.</p>
+ <p>The article should not have described these apps as
+ “free”—they are not free software. The clear way
+ to say “zero price” is “gratis.”</p>
- <p>If so, none of Facebook users' pictures are private
- anymore, even if the user didn't “upload” them to the
service.</p>
+ <p>The article takes for granted that the usual analytics tools are
+ legitimate, but is that valid? Software developers have no right to
+ analyze what users are doing or how. “Analytics” tools
+ that snoop are just as wrong as any other snooping.</p>
</li>
- <li><p>Like most “music screaming” disservices, Spotify
- is based on proprietary malware (DRM and snooping). In August
- 2015 it <a
-href="http://www.theguardian.com/technology/2015/aug/21/spotify-faces-user-backlash-over-new-privacy-policy";>
- demanded users submit to increased snooping</a>, and some
- are starting to realize that it is nasty.</p>
+ <li id="M201510300">
+ <p>More than 73% and 47% of mobile applications, from Android and iOS
+ respectively <a href="https://techscience.org/a/2015103001/";>share
+ personal, behavioral and location information</a> of their users with
+ third parties.</p>
+ </li>
+
+ <li id="M201508210">
+ <p>Like most “music screaming” disservices, Spotify is
+ based on proprietary malware (DRM and snooping). In August 2015 it <a
+
href="http://www.theguardian.com/technology/2015/aug/21/spotify-faces-user-backlash-over-new-privacy-policy";>
+ demanded users submit to increased snooping</a>, and some are starting
+ to realize that it is nasty.</p>
<p>This article shows the <a
-href="https://web.archive.org/web/20160313214751/http://www.theregister.co.uk/2015/08/21/spotify_worse_than_the_nsa/";>
- twisted ways that they present snooping as a way
- to “serve” users better</a>—never mind
- whether they want that. This is a typical example of
- the attitude of the proprietary software industry towards
- those they have subjugated.</p>
+
href="https://www.theregister.co.uk/2015/08/21/spotify_worse_than_the_nsa/";>
+ twisted ways that they present snooping as a way to “serve”
+ users better</a>—never mind whether they want that. This is a
+ typical example of the attitude of the proprietary software industry
+ towards those they have subjugated.</p>
<p>Out, out, damned Spotify!</p>
</li>
- <li><p>Many proprietary apps for mobile devices report which other
- apps the user has
- installed. <a
href="http://techcrunch.com/2014/11/26/twitter-app-graph/";>Twitter
- is doing this in a way that at least is visible and
- optional</a>. Not as bad as what the others do.</p>
+
+ <li id="M201506264">
+ <p><a
+
href="http://www.privmetrics.org/wp-content/uploads/2015/06/wisec2015.pdf";>A
+ study in 2015</a> found that 90% of the top-ranked gratis proprietary
+ Android apps contained recognizable tracking libraries. For the paid
+ proprietary apps, it was only 60%.</p>
+
+ <p>The article confusingly describes gratis apps as
+ “free”, but most of them are not in fact <a
+ href="/philosophy/free-sw.html">free software</a>. It also uses the
+ ugly word “monetize”. A good replacement for that word
+ is “exploit”; nearly always that will fit perfectly.</p>
+ </li>
+
+ <li id="M201505060">
+ <p>Gratis Android apps (but not <a
+ href="/philosophy/free-sw.html">free software</a>) connect to 100 <a
+
href="http://www.theguardian.com/technology/2015/may/06/free-android-apps-connect-tracking-advertising-websites";>tracking
+ and advertising</a> URLs, on the average.</p>
+ </li>
+
+ <li id="M201504060">
+ <p>Widely used <a
+
href="https://freedom-to-tinker.com/blog/kollarssmith/scan-this-or-scan-me-user-privacy-barcode-scanning-applications/";>proprietary
+ QR-code scanner apps snoop on the user</a>. This is in addition to
+ the snooping done by the phone company, and perhaps by the OS in
+ the phone.</p>
+
+ <p>Don't be distracted by the question of whether the app developers
+ get users to say “I agree”. That is no excuse for
+ malware.</p>
</li>
- <li><p>FTC says most mobile apps for children don't respect privacy:
- <a
href="http://arstechnica.com/information-technology/2012/12/ftc-disclosures-severely-lacking-in-kids-mobile-appsand-its-getting-worse/";>
-
http://arstechnica.com/information-technology/2012/12/ftc-disclosures-severely-lacking-in-kids-mobile-appsand-its-getting-worse/</a>.</p>
+ <li id="M201411260">
+ <p>Many proprietary apps for mobile devices
+ report which other apps the user has installed. <a
+ href="http://techcrunch.com/2014/11/26/twitter-app-graph/";>Twitter
+ is doing this in a way that at least is visible and optional</a>. Not
+ as bad as what the others do.</p>
</li>
- <li><p>Widely used <a
href="https://freedom-to-tinker.com/blog/kollarssmith/scan-this-or-scan-me-user-privacy-barcode-scanning-applications/";>proprietary
- QR-code scanner apps snoop on the user</a>. This is in addition to
- the snooping done by the phone company, and perhaps by the OS in the
- phone.</p>
+ <li id="M201401151">
+ <p>Baidu's <a href="#baidu-ime">spying <abbr title="Input Method
+ Editor">IME</abbr></a> is also available for smartphones.</p>
+ </li>
- <p>Don't be distracted by the question of whether the app developers get
- users to say “I agree”. That is no excuse for malware.</p>
+ <li id="M201312270">
+ <p>The nonfree Snapchat app's principal purpose is to restrict the
+ use of data on the user's computer, but it does surveillance too: <a
+
href="http://www.theguardian.com/media/2013/dec/27/snapchat-may-be-exposed-hackers";>
+ it tries to get the user's list of other people's phone
+ numbers</a>.</p>
</li>
- <li><p>The Brightest Flashlight app
- <a
href="http://www.theguardian.com/technology/2013/dec/06/android-app-50m-downloads-sent-data-advertisers";>
- sends user data, including geolocation, for use by companies.</a></p>
+ <li id="M201312060">
+ <p>The Brightest Flashlight app <a
+
href="http://www.theguardian.com/technology/2013/dec/06/android-app-50m-downloads-sent-data-advertisers";>
+ sends user data, including geolocation, for use by companies</a>.</p>
<p>The FTC criticized this app because it asked the user to
- approve sending personal data to the app developer but did not
- ask about sending it to other companies. This shows the
- weakness of the reject-it-if-you-dislike-snooping
- “solution” to surveillance: why should a flashlight
- app send any information to anyone? A free software flashlight
- app would not.</p>
+ approve sending personal data to the app developer but did not ask
+ about sending it to other companies. This shows the weakness of
+ the reject-it-if-you-dislike-snooping “solution” to
+ surveillance: why should a flashlight app send any information to
+ anyone? A free software flashlight app would not.</p>
+ </li>
+
+ <li id="M201212100">
+ <p>FTC says most mobile apps for children don't respect privacy: <a
+
href="http://arstechnica.com/information-technology/2012/12/ftc-disclosures-severely-lacking-in-kids-mobile-appsand-its-getting-worse/";>
+
http://arstechnica.com/information-technology/2012/12/ftc-disclosures-severely-lacking-in-kids-mobile-appsand-its-getting-worse/</a>.</p>
</li>
</ul>
<div class="big-subsection">
- <h4 id="SpywareInGames">Spyware in Games</h4>
- <span class="anchor-reference-id">(<a
href="#SpywareInGames">#SpywareInGames</a>)</span>
+ <h4 id="SpywareInSkype">Skype</h4>
+ <span class="anchor-reference-id">(<a
href="#SpywareInSkype">#SpywareInSkype</a>)</span>
</div>
-<ul>
- <li><p>Angry Birds
- <a
href="http://www.nytimes.com/2014/01/28/world/spy-agencies-scour-phone-apps-for-personal-data.html";>
- spies for companies, and the NSA takes advantage to spy through it
too</a>.
- Here's information on
- <a
href="http://confabulator.blogspot.com/2012/11/analysis-of-what-information-angry.html";>
- more spyware apps</a>.</p>
- <p><a
href="http://www.propublica.org/article/spy-agencies-probe-angry-birds-and-other-apps-for-personal-data";>
- More about NSA app spying</a>.</p>
+<ul class="blurbs">
+ <li id="M201307110">
+ <p>Skype contains <a
+
href="https://web.archive.org/web/20130928235637/http://www.forbes.com/sites/petercohan/2013/06/20/project-chess-how-u-s-snoops-on-your-skype/";>spyware</a>.
+ Microsoft changed Skype <a
+
href="http://www.guardian.co.uk/world/2013/jul/11/microsoft-nsa-collaboration-user-data";>
+ specifically for spying</a>.</p>
</li>
</ul>
<div class="big-subsection">
- <h4 id="SpywareInToys">Spyware in Toys</h4>
- <span class="anchor-reference-id">(<a
href="#SpywareInToys">#SpywareInToys</a>)</span>
+ <h4 id="SpywareInGames">Games</h4>
+ <span class="anchor-reference-id">(<a
href="#SpywareInGames">#SpywareInGames</a>)</span>
</div>
-<ul>
- <li><p>A computerized
- vibrator <a
href="https://www.theguardian.com/technology/2016/aug/10/vibrator-phone-app-we-vibe-4-plus-bluetooth-hack";>snoops
- on its users through the proprietary control app</a>.</p>
-
- <p>The app reports the temperature of the vibrator minute by
- minute (thus, indirectly, whether it is surrounded by a person's
- body), and the vibration frequency.</p>
+<ul class="blurbs">
+ <li id="M201806240">
+ <p>Red Shell is a spyware that
+ is found in many proprietary games. It <a
+
href="https://nebulous.cloud/threads/red-shell-illegal-spyware-for-steam-games.31924/";>
+ tracks data on users' computers and sends it to third parties</a>.</p>
+ </li>
+
+ <li id="M201804144">
+ <p>ArenaNet surreptitiously installed a spyware
+ program along with an update to the massive
+ multiplayer game Guild War 2. The spyware allowed ArenaNet <a
+
href="https://techraptor.net/content/arenanet-used-spyware-anti-cheat-for-guild-wars-2-banwave";>
+ to snoop on all open processes running on its user's computer</a>.</p>
+ </li>
+
+ <li id="M201711070">
+ <p>The driver for a certain gaming keyboard <a
+
href="https://thehackernews.com/2017/11/mantistek-keyboard-keylogger.html";>sends
+ information to China</a>.</p>
+ </li>
+
+ <li id="M201611070">
+ <p>nVidia's proprietary GeForce Experience <a
+
href="http://www.gamersnexus.net/industry/2672-geforce-experience-data-transfer-analysis";>makes
+ users identify themselves and then sends personal data about them to
+ nVidia servers</a>.</p>
+ </li>
+
+ <li id="M201512290">
+ <p>Many <a
+
href="http://www.thestar.com/news/canada/2015/12/29/how-much-data-are-video-games-collecting-about-you.html/";>
+ video game consoles snoop on their users and report to the
+ internet</a>—even what their users weigh.</p>
- <p>Note the totally inadequate proposed response: a labeling
- standard with which manufacturers would make statements about
- their products, rather than free software which users can check
- and change.</p>
+ <p>A game console is a computer, and you can't trust a computer with
+ a nonfree operating system.</p>
</li>
- <li><p>Barbie
- <a
href="http://www.mirror.co.uk/news/technology-science/technology/wi-fi-spy-barbie-records-childrens-5177673";>is
going to spy on children and adults.</a>.</p>
+
+ <li id="M201509160">
+ <p>Modern gratis game cr…apps <a
+
href="http://toucharcade.com/2015/09/16/we-own-you-confessions-of-a-free-to-play-producer/";>
+ collect a wide range of data about their users and their users'
+ friends and associates</a>.</p>
+
+ <p>Even nastier, they do it through ad networks that merge the data
+ collected by various cr…apps and sites made by different
+ companies.</p>
+
+ <p>They use this data to manipulate people to buy things, and hunt for
+ “whales” who can be led to spend a lot of money. They also
+ use a back door to manipulate the game play for specific players.</p>
+
+ <p>While the article describes gratis games, games that cost money
+ can use the same tactics.</p>
+ </li>
+
+ <li id="M201401280">
+ <p>Angry Birds <a
+
href="http://www.nytimes.com/2014/01/28/world/spy-agencies-scour-phone-apps-for-personal-data.html";>
+ spies for companies, and the NSA takes advantage
+ to spy through it too</a>. Here's information on <a
+
href="http://confabulator.blogspot.com/2012/11/analysis-of-what-information-angry.html";>
+ more spyware apps</a>.</p>
+
+ <p><a
+
href="http://www.propublica.org/article/spy-agencies-probe-angry-birds-and-other-apps-for-personal-data";>
+ More about NSA app spying</a>.</p>
+ </li>
+
+ <li id="M200510200">
+ <p>Blizzard Warden is a hidden
+ “cheating-prevention” program that <a
+ href="https://www.eff.org/deeplinks/2005/10/new-gaming-feature-spyware";>
+ spies on every process running on a gamer's computer and sniffs a
+ good deal of personal data</a>, including lots of activities which
+ have nothing to do with cheating.</p>
</li>
</ul>
-<!-- #SpywareAtLowLevel -->
-<!-- WEBMASTERS: make sure to place new items on top under each subsection -->
<div class="big-section">
- <h3 id="SpywareAtLowLevel">Spyware at Low Level</h3>
- <span class="anchor-reference-id">(<a
href="#SpywareAtLowLevel">#SpywareAtLowLevel</a>)</span>
+ <h3 id="SpywareInEquipment">Spyware in Connected Equipment</h3>
+ <span class="anchor-reference-id">(<a
href="#SpywareInEquipment">#SpywareInEquipment</a>)</span>
</div>
<div style="clear: left;"></div>
+<ul class="blurbs">
+ <li id="M201708280">
+ <p>The bad security in many Internet of Stings devices allows <a
+
href="https://www.techdirt.com/articles/20170828/08152938092/iot-devices-provide-comcast-wonderful-new-opportunity-to-spy-you.shtml";>ISPs
+ to snoop on the people that use them</a>.</p>
-<div class="big-subsection">
- <h4 id="SpywareInBIOS">Spyware in BIOS</h4>
- <span class="anchor-reference-id">(<a
href="#SpywareInBIOS">#SpywareInBIOS</a>)</span>
-</div>
+ <p>Don't be a sucker—reject all the stings.</p>
-<ul>
-<li><p>
-<a
href="http://www.computerworld.com/article/2984889/windows-pcs/lenovo-collects-usage-data-on-thinkpad-thinkcentre-and-thinkstation-pcs.html";>
-Lenovo stealthily installed crapware and spyware via BIOS</a> on Windows
installs.
-Note that the specific sabotage method Lenovo used did not affect
-GNU/Linux; also, a “clean” Windows install is not really
-clean since <a href="/proprietary/malware-microsoft.html">Microsoft
-puts in its own malware</a>.
-</p></li>
+ <p>It is unfortunate that the article uses the term “<a
+ href="/philosophy/words-to-avoid.html#Monetize">monetize</a>”.</p>
+ </li>
</ul>
-<!-- #SpywareAtWork -->
-<!-- WEBMASTERS: make sure to place new items on top under each subsection -->
-<div class="big-section">
- <h3 id="SpywareAtWork">Spyware at Work</h3>
- <span class="anchor-reference-id">(<a
href="#SpywareAtWork">#SpywareAtWork</a>)</span>
+<div class="big-subsection">
+ <h4 id="SpywareInTVSets">TV Sets</h4>
+ <span class="anchor-reference-id">(<a
href="#SpywareInTVSets">#SpywareInTVSets</a>)</span>
</div>
-<div style="clear: left;"></div>
-<ul>
- <li><p>Investigation
- Shows <a
href="https://www.techdirt.com/articles/20160602/17210734610/investigation-shows-gchq-using-us-companies-nsa-to-route-around-domestic-surveillance-restrictions.shtml";>GCHQ
- Using US Companies, NSA To Route Around Domestic Surveillance
- Restrictions</a>.</p>
+<p>Emo Phillips made a joke: The other day a woman came up to me and
+said, “Didn't I see you on television?” I said, “I
+don't know. You can't see out the other way.” Evidently that was
+before Amazon “smart” TVs.</p>
- <p>Specifically, it can collect the emails of members of Parliament
- this way, because they pass it through Microsoft.</p></li>
+<ul class="blurbs">
+ <li id="M201804010">
+ <p>Some “Smart” TVs automatically <a
+
href="https://web.archive.org/web/20180405014828/https:/twitter.com/buro9/status/980349887006076928";>load
+ downgrades that install a surveillance app</a>.</p>
+
+ <p>We link to the article for the facts it presents. It
+ is too bad that the article finishes by advocating the
+ moral weakness of surrendering to Netflix. The Netflix app <a
+ href="/proprietary/malware-google.html#netflix-app-geolocation-drm">is
+ malware too</a>.</p>
+ </li>
+
+ <li id="M201702060">
+ <p>Vizio “smart” <a
+
href="https://www.ftc.gov/news-events/blogs/business-blog/2017/02/what-vizio-was-doing-behind-tv-screen";>TVs
+ report everything that is viewed on them, and not just broadcasts and
+ cable</a>. Even if the image is coming from the user's own computer,
+ the TV reports what it is. The existence of a way to disable the
+ surveillance, even if it were not hidden as it was in these TVs,
+ does not legitimize the surveillance.</p>
+ </li>
+
+ <li id="M201511130">
+ <p>Some web and TV advertisements play inaudible
+ sounds to be picked up by proprietary malware running
+ on other devices in range so as to determine that they
+ are nearby. Once your Internet devices are paired with
+ your TV, advertisers can correlate ads with Web activity, and other <a
+
href="http://arstechnica.com/tech-policy/2015/11/beware-of-ads-that-use-inaudible-sound-to-link-your-phone-tv-tablet-and-pc/";>cross-device
+ tracking</a>.</p>
+ </li>
+
+ <li id="M201511060">
+ <p>Vizio goes a step further than other TV
+ manufacturers in spying on their users: their <a
+
href="http://www.propublica.org/article/own-a-vizio-smart-tv-its-watching-you";>
+ “smart” TVs analyze your viewing habits in detail and
+ link them your IP address</a> so that advertisers can track you
+ across devices.</p>
+
+ <p>It is possible to turn this off, but having it enabled by default
+ is an injustice already.</p>
+ </li>
- <li><p>Spyware in Cisco TNP IP phones:
- <a
href="http://boingboing.net/2012/12/29/your-cisco-phone-is-listening.html";>
-
http://boingboing.net/2012/12/29/your-cisco-phone-is-listening.html</a></p>
+ <li id="M201511020">
+ <p>Tivo's alliance with Viacom adds 2.3 million households
+ to the 600 millions social media profiles the company
+ already monitors. Tivo customers are unaware they're
+ being watched by advertisers. By combining TV viewing
+ information with online social media participation, Tivo can now <a
+
href="http://www.reuters.com/article/viacom-tivo-idUSL1N12U1VV20151102";>correlate
+ TV advertisement with online purchases</a>, exposing all users to
+ new combined surveillance by default.</p>
+ </li>
+
+ <li id="M201507240">
+ <p>Vizio “smart” TVs recognize and <a
+ href="http://www.engadget.com/2015/07/24/vizio-ipo-inscape-acr/";>track
+ what people are watching</a>, even if it isn't a TV channel.</p>
+ </li>
+
+ <li id="M201505290">
+ <p><a
+
href="http://arstechnica.com/business/2015/05/verizon-fios-reps-know-what-tv-channels-you-watch/";>Verizon
+ cable TV snoops on what programs people watch, and even what they
+ wanted to record</a>.</p>
+ </li>
+
+ <li id="M201504300">
+ <p>Vizio <a
+ href="http://boingboing.net/2015/04/30/telescreen-watch-vizio-adds-s.html";>
+ used a firmware “upgrade” to make its TVs snoop on what
+ users watch</a>. The TVs did not do that when first sold.</p>
+ </li>
+
+ <li id="M201502090">
+ <p>The Samsung “Smart” TV <a
+
href="http://www.consumerreports.org/cro/news/2015/02/who-s-the-third-party-that-samsung-and-lg-smart-tvs-are-sharing-your-voice-data-with/index.htm";>transmits
+ users' voice on the internet to another company, Nuance</a>.
+ Nuance can save it and would then have to give it to the US or some
+ other government.</p>
+
+ <p>Speech recognition is not to be trusted unless it is done by free
+ software in your own computer.</p>
+
+ <p>In its privacy policy, Samsung explicitly confirms that <a
+
href="http://theweek.com/speedreads/538379/samsung-warns-customers-not-discuss-personal-information-front-smart-tvs";>voice
+ data containing sensitive information will be transmitted to third
+ parties</a>.</p>
+ </li>
+
+ <li id="M201411090">
+ <p>The Amazon “Smart” TV <a
+
href="http://www.theguardian.com/technology/shortcuts/2014/nov/09/amazon-echo-smart-tv-watching-listening-surveillance";>is
+ snooping all the time</a>.</p>
+ </li>
+
+ <li id="M201409290">
+ <p>More or less all “smart” TVs <a
+
href="http://www.myce.com/news/reseachers-all-smart-tvs-spy-on-you-sony-monitors-all-channel-switches-72851/";>spy
+ on their users</a>.</p>
+
+ <p>The report was as of 2014, but we don't expect this has got
+ better.</p>
+
+ <p>This shows that laws requiring products to get users' formal
+ consent before collecting personal data are totally inadequate.
+ And what happens if a user declines consent? Probably the TV will
+ say, “Without your consent to tracking, the TV will not
+ work.”</p>
+
+ <p>Proper laws would say that TVs are not allowed to report what the
+ user watches—no exceptions!</p>
+ </li>
+
+ <li id="M201405200">
+ <p>Spyware in <a
+
href="http://doctorbeet.blogspot.co.uk/2013/11/lg-smart-tvs-logging-usb-filenames-and.html";>
+ LG “smart” TVs</a> reports what the user watches, and the
+ switch to turn this off has no effect. (The fact that the transmission
+ reports a 404 error really means nothing; the server could save that
+ data anyway.)</p>
+
+ <p>Even worse, it <a
+
href="http://rambles.renney.me/2013/11/lg-tv-logging-filenames-from-network-folders/";>
+ snoops on other devices on the user's local network</a>.</p>
+
+ <p>LG later said it had installed a patch to stop this, but any
+ product could spy this way.</p>
+
+ <p>Meanwhile, LG TVs <a
+
href="http://www.techdirt.com/articles/20140511/17430627199/lg-will-take-smart-out-your-smart-tv-if-you-dont-agree-to-share-your-viewing-search-data-with-third-parties.shtml";>
+ do lots of spying anyway</a>.</p>
+ </li>
+
+ <li id="M201212170">
+ <p id="break-security-smarttv"><a
+
href="http://www.dailymail.co.uk/sciencetech/article-2249303/Hackers-penetrate-home-Crack-Samsungs-Smart-TV-allows-attacker-seize-control-microphone-cameras.html";>
+ Crackers found a way to break security on a “smart” TV</a>
+ and use its camera to watch the people who are watching TV.</p>
</li>
</ul>
<div class="big-subsection">
- <h4 id="SpywareInSkype">Spyware in Skype</h4>
- <span class="anchor-reference-id">(<a
href="#SpywareInSkype">#SpywareInSkype</a>)</span>
+ <h4 id="SpywareInCameras">Cameras</h4>
+ <span class="anchor-reference-id">(<a
href="#SpywareInCameras">#SpywareInCameras</a>)</span>
</div>
-<ul>
- <li><p>Spyware in Skype:
- <a
href="http://www.forbes.com/sites/petercohan/2013/06/20/project-chess-how-u-s-snoops-on-your-skype/";>
-
http://www.forbes.com/sites/petercohan/2013/06/20/project-chess-how-u-s-snoops-on-your-skype/</a>.
- Microsoft changed Skype
- <a
href="http://www.guardian.co.uk/world/2013/jul/11/microsoft-nsa-collaboration-user-data";>
- specifically for spying</a>.</p>
+<ul class="blurbs">
+ <li id="M201710040">
+ <p>Every “home security” camera, if its
+ manufacturer can communicate with it, is a surveillance device. <a
+
href="https://www.theverge.com/circuitbreaker/2017/10/4/16426394/canary-smart-home-camera-free-service-update-change";>
+ Canary camera is an example</a>.</p>
+
+ <p>The article describes wrongdoing by the manufacturer, based on
+ the fact that the device is tethered to a server.</p>
+
+ <p><a href="/proprietary/proprietary-tethers.html">More about
+ proprietary tethering</a>.</p>
+
+ <p>But it also demonstrates that the device gives the company
+ surveillance capability.</p>
</li>
-</ul>
+ <li id="M201706201">
+ <p>Many models of Internet-connected cameras <a
+ href="/proprietary/proprietary-back-doors.html#InternetCameraBackDoor">
+ have backdoors</a>.</p>
+ <p>That is a malicious functionality, but in addition it
+ is a gross insecurity since anyone, including malicious crackers, <a
+
href="https://arstechnica.com/security/2017/06/internet-cameras-expose-private-video-feeds-and-remote-controls/";>can
+ find those accounts and use them to get into users' cameras</a>.</p>
+ </li>
-<!-- #SpywareOnTheRoad -->
-<!-- WEBMASTERS: make sure to place new items on top under each subsection -->
+ <li id="M201603220">
+ <p>Over 70 brands of network-connected surveillance cameras <a
+
href="http://www.kerneronsec.com/2016/02/remote-code-execution-in-cctv-dvrs-of.html";>have
+ security bugs that allow anyone to watch through them</a>.</p>
+ </li>
+
+ <li id="M201511250">
+ <p>The Nest Cam “smart” camera is <a
+ href="http://www.bbc.com/news/technology-34922712";>always watching</a>,
+ even when the “owner” switches it “off.”</p>
+
+ <p>A “smart” device means the manufacturer is using it
+ to outsmart you.</p>
+ </li>
+
+ <li id="M201309050">
+ <p>The FTC punished a company for making webcams with <a
+
href="http://www.nytimes.com/2013/09/05/technology/ftc-says-webcams-flaw-put-users-lives-on-display.html";>
+ bad security so that it was easy for anyone to watch through
+ them</a>.</p>
+ </li>
+</ul>
-<div class="big-section">
- <h3 id="SpywareOnTheRoad">Spyware on The Road</h3>
- <span class="anchor-reference-id">(<a
href="#SpywareOnTheRoad">#SpywareOnTheRoad</a>)</span>
-</div>
-<div style="clear: left;"></div>
<div class="big-subsection">
- <h4 id="SpywareInCameras">Spyware in Cameras</h4>
- <span class="anchor-reference-id">(<a
href="#SpywareInCameras">#SpywareInCameras</a>)</span>
+ <h4 id="SpywareInToys">Toys</h4>
+ <span class="anchor-reference-id">(<a
href="#SpywareInToys">#SpywareInToys</a>)</span>
</div>
-<ul>
- <li>
- <p>The Nest Cam “smart” camera is <a
- href="http://www.bbc.com/news/technology-34922712";>always
- watching</a>, even when the “owner” switches it
“off.”</p>
- <p>A “smart” device means the manufacturer is using it to
outsmart
- you.</p>
+<ul class="blurbs">
+ <li id="M201711244">
+ <p>The Furby Connect has a <a
+
href="https://www.contextis.com/blog/dont-feed-them-after-midnight-reverse-engineering-the-furby-connect";>
+ universal back door</a>. If the product as shipped doesn't act as a
+ listening device, remote changes to the code could surely convert it
+ into one.</p>
+ </li>
+
+ <li id="M201711100">
+ <p>A remote-control sex toy was found to make <a
+
href="https://www.theverge.com/2017/11/10/16634442/lovense-sex-toy-spy-survei";>audio
+ recordings of the conversation between two users</a>.</p>
+ </li>
+
+ <li id="M201703140">
+ <p>A computerized vibrator <a
+
href="https://www.theguardian.com/technology/2016/aug/10/vibrator-phone-app-we-vibe-4-plus-bluetooth-hack";>
+ was snooping on its users through the proprietary control app</a>.</p>
+
+ <p>The app was reporting the temperature of the vibrator minute by
+ minute (thus, indirectly, whether it was surrounded by a person's
+ body), as well as the vibration frequency.</p>
+
+ <p>Note the totally inadequate proposed response: a labeling
+ standard with which manufacturers would make statements about their
+ products, rather than free software which users could have checked
+ and changed.</p>
+
+ <p>The company that made the vibrator <a
+
href="https://www.theguardian.com/us-news/2016/sep/14/wevibe-sex-toy-data-collection-chicago-lawsuit";>
+ was sued for collecting lots of personal information about how people
+ used it</a>.</p>
+
+ <p>The company's statement that it was anonymizing the data may be
+ true, but it doesn't really matter. If it had sold the data to a data
+ broker, the data broker would have been able to figure out who the
+ user was.</p>
+
+ <p>Following this lawsuit, <a
+
href="https://www.theguardian.com/technology/2017/mar/14/we-vibe-vibrator-tracking-users-sexual-habits";>
+ the company has been ordered to pay a total of C$4m</a> to its
+ customers.</p>
+ </li>
+
+ <li id="M201702280">
+ <p>“CloudPets” toys with microphones <a
+
href="https://www.theguardian.com/technology/2017/feb/28/cloudpets-data-breach-leaks-details-of-500000-children-and-adults";>
+ leak childrens' conversations to the manufacturer</a>. Guess what? <a
+
href="https://motherboard.vice.com/en_us/article/pgwean/internet-of-things-teddy-bear-leaked-2-million-parent-and-kids-message-recordings";>
+ Crackers found a way to access the data</a> collected by the
+ manufacturer's snooping.</p>
+
+ <p>That the manufacturer and the FBI could listen to these
+ conversations was unacceptable by itself.</p>
+ </li>
+
+ <li id="M201612060">
+ <p>The “smart” toys My Friend Cayla and i-Que transmit <a
+
href="https://www.forbrukerradet.no/siste-nytt/connected-toys-violate-consumer-laws";>children's
+ conversations to Nuance Communications</a>, a speech recognition
+ company based in the U.S.</p>
+
+ <p>Those toys also contain major security vulnerabilities; crackers
+ can remotely control the toys with a mobile phone. This would enable
+ crackers to listen in on a child's speech, and even speak into the
+ toys themselves.</p>
+ </li>
+
+ <li id="M201502180">
+ <p>Barbie <a
+
href="http://www.mirror.co.uk/news/technology-science/technology/wi-fi-spy-barbie-records-childrens-5177673";>is
+ going to spy on children and adults</a>.</p>
</li>
</ul>
+
<div class="big-subsection">
- <h4 id="SpywareInElectronicReaders">Spyware in e-Readers</h4>
- <span class="anchor-reference-id">(<a
href="#SpywareInElectronicReaders">#SpywareInElectronicReaders</a>)</span>
+ <h4 id="SpywareAtHome">Other Home Appliances</h4><span
class="anchor-reference-id">(<a href="#SpywareAtHome">#SpywareAtHome</a>)</span>
</div>
-<ul>
- <li><p>E-books can contain Javascript code,
- and <a
href="http://www.theguardian.com/books/2016/mar/08/men-make-up-their-minds-about-books-faster-than-women-study-finds";>sometimes
- this code snoops on readers</a>.</p>
+<ul class="blurbs">
+ <li id="M201808120">
+ <p>Crackers found a way to break the security of an Amazon device,
+ and <a href="https://boingboing.net/2018/08/12/alexa-bob-carol.html";>
+ turn it into a listening device</a> for them.</p>
+
+ <p>It was very difficult for them to do this. The job would be much
+ easier for Amazon. And if some government such as China or the US
+ told Amazon to do this, or cease to sell the product in that country,
+ do you think Amazon would have the moral fiber to say no?</p>
+
+ <p>These crackers are probably hackers too, but please <a
+ href="https://stallman.org/articles/on-hacking.html";> don't use
+ “hacking” to mean “breaking security”</a>.</p>
</li>
- <li><p>Spyware in many e-readers—not only the
- Kindle: <a href="https://www.eff.org/pages/reader-privacy-chart-2012";>
- they report even which page the user reads at what time</a>.</p>
+ <li id="M201804140">
+ <p>A medical insurance company <a
+
href="https://wolfstreet.com/2018/04/14/our-dental-insurance-sent-us-free-internet-connected-toothbrushes-and-this-is-what-happened-next";>
+ offers a gratis electronic toothbrush that snoops on its user by
+ sending usage data back over the Internet</a>.</p>
</li>
- <li><p>Adobe made “Digital Editions,” the e-reader used
- by most US libraries,
- <a
href="http://www.computerworlduk.com/blogs/open-enterprise/drm-strikes-again-3575860/";>
- send lots of data to Adobe</a>. Adobe's “excuse”: it's
- needed to check DRM!</p>
+ <li id="M201706204">
+ <p>Lots of “smart” products are designed <a
+
href="http://enews.cnet.com/ct/42931641:shoPz52LN:m:1:1509237774:B54C9619E39F7247C0D58117DD1C7E96:r:27417204357610908031812337994022";>to
+ listen to everyone in the house, all the time</a>.</p>
+
+ <p>Today's technological practice does not include any way of making
+ a device that can obey your voice commands without potentially spying
+ on you. Even if it is air-gapped, it could be saving up records
+ about you for later examination.</p>
+ </li>
+
+ <li id="M201407170">
+ <p id="nest-thermometers">Nest thermometers send <a
+ href="http://bgr.com/2014/07/17/google-nest-jailbreak-hack";>a lot of
+ data about the user</a>.</p>
+ </li>
+
+ <li id="M201310260">
+ <p><a
+
href="http://consumerman.com/Rent-to-own%20giant%20accused%20of%20spying%20on%20its%20customers.htm";>
+ Rent-to-own computers were programmed to spy on their renters</a>.</p>
</li>
</ul>
+
<div class="big-subsection">
- <h4 id="SpywareInVehicles">Spyware in Vehicles</h4>
- <span class="anchor-reference-id">(<a
href="#SpywareInVehicles">#SpywareInVehicles</a>)</span>
+ <h4 id="SpywareOnWearables">Wearables</h4>
+ <span class="anchor-reference-id">(<a
href="#SpywareOnWearables">#SpywareOnWearables</a>)</span>
</div>
-<ul>
-<li><p>Computerized cars with nonfree software are
- <a
href="http://www.bloomberg.com/news/articles/2016-07-12/your-car-s-been-studying-you-closely-and-everyone-wants-the-data";>
- snooping devices</a>.</p>
- </li>
-
- <li><p>The Nissan Leaf has a built-in cell phone modem which allows
- effectively
- anyone <a
href="https://www.troyhunt.com/controlling-vehicle-features-of-nissan/";>to
- access its computers remotely and make changes in various
- settings</a>.</p>
+<ul class="blurbs">
+ <li id="M201807260">
+ <p>Tommy Hilfiger clothing <a
+
href="https://www.theguardian.com/fashion/2018/jul/26/tommy-hilfiger-new-clothing-line-monitor-customers";>will
+ monitor how often people wear it</a>.</p>
- <p>That's easy to do because the system has no authentication when
- accessed through the modem. However, even if it asked for
- authentication, you couldn't be confident that Nissan has no
- access. The software in the car is
- proprietary, <a
href="/philosophy/free-software-even-more-important.html">which
- means it demands blind faith from its users</a>.</p>
-
- <p>Even if no one connects to the car remotely, the cell phone
- modem enables the phone company to track the car's movements all
- the time; it is possible to physically remove the cell phone modem
- though.</p>
- </li>
-
- <li><p>Proprietary software in cars
- <a
href="http://www.usatoday.com/story/money/cars/2013/03/24/car-spying-edr-data-privacy/1991751/";>records
information about drivers' movements</a>,
- which is made available to car manufacturers, insurance companies, and
- others.</p>
-
- <p>The case of toll-collection systems, mentioned in this article, is not
- really a matter of proprietary surveillance. These systems are an
- intolerable invasion of privacy, and should be replaced with anonymous
- payment systems, but the invasion isn't done by malware. The other
- cases mentioned are done by proprietary malware in the car.</p></li>
-
- <li><p>Tesla cars allow the company to extract data remotely and
- determine the car's location at any time. (See
- <a
href="http://www.teslamotors.com/sites/default/files/pdfs/tmi_privacy_statement_external_6-14-2013_v2.pdf";>
- Section 2, paragraphs b and c.</a>). The company says it doesn't
- store this information, but if the state orders it to get the data
- and hand it over, the state can store it.</p>
+ <p>This will teach the sheeple to find it normal that companies
+ monitor every aspect of what they do.</p>
</li>
</ul>
-<!-- #SpywareAtHome -->
-<!-- WEBMASTERS: make sure to place new items on top under each subsection -->
+<h5 id="SpywareOnSmartWatches">“Smart” Watches</h5>
-<div class="big-section">
- <h3 id="SpywareAtHome">Spyware at Home</h3>
- <span class="anchor-reference-id">(<a
href="#SpywareAtHome">#SpywareAtHome</a>)</span>
-</div>
-<div style="clear: left;"></div>
+<ul class="blurbs">
+ <li id="M201603020">
+ <p>A very cheap “smart watch” comes with an Android app <a
+
href="https://www.theregister.co.uk/2016/03/02/chinese_backdoor_found_in_ebays_popular_cheap_smart_watch/";>
+ that connects to an unidentified site in China</a>.</p>
-<ul>
- <li><p><a
href="http://consumerman.com/Rent-to-own%20giant%20accused%20of%20spying%20on%20its%20customers.htm";>
- Rent-to-own computers were programmed to spy on their renters</a>.</p>
+ <p>The article says this is a back door, but that could be a
+ misunderstanding. However, it is certainly surveillance, at least.</p>
+ </li>
+
+ <li id="M201407090">
+ <p>An LG “smart” watch is designed <a
+
href="http://www.huffingtonpost.co.uk/2014/07/09/lg-kizon-smart-watch_n_5570234.html";>
+ to report its location to someone else and to transmit conversations
+ too</a>.</p>
</li>
</ul>
<div class="big-subsection">
- <h4 id="SpywareInTVSets">Spyware in TV Sets</h4>
- <span class="anchor-reference-id">(<a
href="#SpywareInTVSets">#SpywareInTVSets</a>)</span>
+ <h4 id="SpywareInVehicles">Vehicles</h4>
+ <span class="anchor-reference-id">(<a
href="#SpywareInVehicles">#SpywareInVehicles</a>)</span>
</div>
-<p>Emo Phillips made a joke: The other day a woman came up to me and
-said, “Didn't I see you on television?” I said, “I
-don't know. You can't see out the other way.” Evidently that was
-before Amazon “smart” TVs.</p>
-
-<ul>
- <li><p>Vizio goes a step further than other TV manufacturers in spying on
- their users: their <a
href="http://www.propublica.org/article/own-a-vizio-smart-tv-its-watching-you";>
- “smart” TVs analyze your viewing habits in detail and
- link them your IP address</a> so that advertisers can track you
- across devices.</p>
-
- <p>It is possible to turn this off, but having it enabled by default
- is an injustice already.</p>
+<ul class="blurbs">
+ <li id="M201711230">
+ <p>AI-powered driving apps can <a
+
href="https://motherboard.vice.com/en_us/article/43nz9p/ai-powered-driving-apps-can-track-your-every-move";>
+ track your every move</a>.</p>
</li>
- <li><p>Tivo's alliance with Viacom adds 2.3 million households to
- the 600 millions social media profiles the company already
- monitors. Tivo customers are unaware they're being watched by
- advertisers. By combining TV viewing information with online
- social media participation, Tivo can now <a
href="http://www.reuters.com/article/viacom-tivo-idUSL1N12U1VV20151102";>correlate
TV
- advertisement with online purchases</a>, exposing all users to
- new combined surveillance by default.</p></li>
- <li><p>Some web and TV advertisements play inaudible sounds to be
- picked up by proprietary malware running on other devices in
- range so as to determine that they are nearby. Once your
- Internet devices are paired with your TV, advertisers can
- correlate ads with Web activity, and
- other <a
href="http://arstechnica.com/tech-policy/2015/11/beware-of-ads-that-use-inaudible-sound-to-link-your-phone-tv-tablet-and-pc/";>cross-device
tracking</a>.</p>
- </li>
- <li><p>Vizio “smart” TVs recognize and
- <a
href="http://www.engadget.com/2015/07/24/vizio-ipo-inscape-acr/";>track what
people are watching</a>,
- even if it isn't a TV channel.</p>
- </li>
- <li><p>The Amazon “Smart” TV
- <a
href="http://www.theguardian.com/technology/shortcuts/2014/nov/09/amazon-echo-smart-tv-watching-listening-surveillance";>is
- watching and listening all the time</a>.</p>
- </li>
- <li><p>The Samsung “Smart” TV
- <a
href="http://www.consumerreports.org/cro/news/2015/02/who-s-the-third-party-that-samsung-and-lg-smart-tvs-are-sharing-your-voice-data-with/index.htm";>transmits
users' voice on the internet to another
- company, Nuance</a>. Nuance can save it and would then have to
- give it to the US or some other government.</p>
- <p>Speech recognition is not to be trusted unless it is done
- by free software in your own computer.</p>
- </li>
- <li><p>Spyware in
- <a
href="http://doctorbeet.blogspot.co.uk/2013/11/lg-smart-tvs-logging-usb-filenames-and.html";>
- LG “smart” TVs</a> reports what the user watches, and
- the switch to turn this off has no effect. (The fact that the
- transmission reports a 404 error really means nothing; the server
- could save that data anyway.)</p>
-
- <p>Even worse, it
- <a
href="http://rambles.renney.me/2013/11/lg-tv-logging-filenames-from-network-folders/";>
- snoops on other devices on the user's local network.</a></p>
-
- <p>LG later said it had installed a patch to stop this, but any product
- could spy this way.</p>
-
- <p>Meanwhile, LG TVs
- <a
href="http://www.techdirt.com/articles/20140511/17430627199/lg-will-take-smart-out-your-smart-tv-if-you-dont-agree-to-share-your-viewing-search-data-with-third-parties.shtml";>
do lots of spying anyway</a>.</p>
+ <li id="M201607160">
+ <p>Computerized cars with nonfree software are <a
+
href="http://www.thelowdownblog.com/2016/07/your-cars-been-studying-you-closely-and.html";>
+ snooping devices</a>.</p>
</li>
- <li>
- <p><a
href="http://arstechnica.com/business/2015/05/verizon-fios-reps-know-what-tv-channels-you-watch/";>Verizon
cable TV snoops on what programs people watch, and even what they wanted to
record.</a></p>
+
+ <li id="M201602240">
+ <p id="nissan-modem">The Nissan Leaf has a built-in
+ cell phone modem which allows effectively anyone <a
+ href="https://www.troyhunt.com/controlling-vehicle-features-of-nissan/";>to
+ access its computers remotely and make changes in various
+ settings</a>.</p>
+
+ <p>That's easy to do because the system has no authentication
+ when accessed through the modem. However, even if it asked
+ for authentication, you couldn't be confident that Nissan
+ has no access. The software in the car is proprietary, <a
+ href="/philosophy/free-software-even-more-important.html">which means
+ it demands blind faith from its users</a>.</p>
+
+ <p>Even if no one connects to the car remotely, the cell phone modem
+ enables the phone company to track the car's movements all the time;
+ it is possible to physically remove the cell phone modem, though.</p>
+ </li>
+
+ <li id="M201306140">
+ <p>Tesla cars allow the company to extract
+ data remotely and determine the car's location
+ at any time. (See Section 2, paragraphs b and c of the <a
+
href="http://www.teslamotors.com/sites/default/files/pdfs/tmi_privacy_statement_external_6-14-2013_v2.pdf";>
+ privacy statement</a>.) The company says it doesn't store this
+ information, but if the state orders it to get the data and hand it
+ over, the state can store it.</p>
+ </li>
+
+ <li id="M201303250">
+ <p id="records-drivers">Proprietary software in cars <a
+
href="http://www.usatoday.com/story/money/cars/2013/03/24/car-spying-edr-data-privacy/1991751/";>records
+ information about drivers' movements</a>, which is made available to
+ car manufacturers, insurance companies, and others.</p>
+
+ <p>The case of toll-collection systems, mentioned in this article,
+ is not really a matter of proprietary surveillance. These systems
+ are an intolerable invasion of privacy, and should be replaced with
+ anonymous payment systems, but the invasion isn't done by malware. The
+ other cases mentioned are done by proprietary malware in the car.</p>
</li>
</ul>
-<!-- #SpywareAtPlay -->
-<div class="big-section">
- <h3 id="SpywareAtPlay">Spyware at Play</h3>
- <span class="anchor-reference-id">(<a
href="#SpywareAtPlay">#SpywareAtPlay</a>)</span>
-</div>
-<div style="clear: left;"></div>
-<ul>
- <li><p>Many
- <a
href="http://www.thestar.com/news/canada/2015/12/29/how-much-data-are-video-games-collecting-about-you.html/";>
- video game consoles snoop on their users and report to the
- internet</a>— even what their users weigh.</p>
+<div class="big-subsection">
+ <h4 id="SpywareInDrones">Drones</h4>
+ <span class="anchor-reference-id">(<a
href="#SpywareInDrones">#SpywareInDrones</a>)</span>
+</div>
- <p>A game console is a computer, and you can't trust a computer with
- a nonfree operating system.</p>
+<ul class="blurbs">
+ <li id="M201708040">
+ <p>While you're using a DJI drone
+ to snoop on other people, DJI is in many cases <a
+
href="https://www.theverge.com/2017/8/4/16095244/us-army-stop-using-dji-drones-cybersecurity";>snooping
+ on you</a>.</p>
</li>
+</ul>
- <li><p>Modern gratis game cr…apps
- <a
href="http://toucharcade.com/2015/09/16/we-own-you-confessions-of-a-free-to-play-producer/";>
- collect a wide range of data about their users and their users'
- friends and associates</a>.</p>
-
- <p>Even nastier, they do it through ad networks that merge the data
- collected by various cr…apps and sites made by different
- companies.</p>
- <p>They use this data to manipulate people to buy things, and hunt
- for “whales” who can be led to spend a lot of money. They
- also use a back door to manipulate the game play for specific
players.</p>
+<div class="big-subsection">
+ <h4 id="SpywareInVR">Virtual Reality</h4>
+ <span class="anchor-reference-id">(<a
href="#SpywareInVR">#SpywareInVR</a>)</span>
+</div>
- <p>While the article describes gratis games, games that cost money
- can use the same tactics.</p>
+<ul class="blurbs">
+ <li id="M201612230">
+ <p>VR equipment, measuring every slight motion,
+ creates the potential for the most intimate
+ surveillance ever. All it takes to make this potential real <a
+
href="https://theintercept.com/2016/12/23/virtual-reality-allows-the-most-detailed-intimate-digital-surveillance-yet/";>is
+ software as malicious as many other programs listed in this
+ page</a>.</p>
+
+ <p>You can bet Facebook will implement the maximum possible
+ surveillance on Oculus Rift devices. The moral is, never trust a VR
+ system with nonfree software in it.</p>
</li>
</ul>
-<!-- #SpywareOnTheWeb -->
+
<div class="big-section">
<h3 id="SpywareOnTheWeb">Spyware on the Web</h3>
@@ -897,96 +1740,186 @@
makes no sense to call them “free” or
“proprietary”</a>,
but the surveillance is an abuse all the same.</p>
-<ul>
+<ul class="blurbs">
+ <li id="M201805170">
+ <p>The Storyful program <a
+
href="https://www.theguardian.com/world/2018/may/17/revealed-how-storyful-uses-tool-monitor-what-journalists-watch";>spies
+ on the reporters that use it</a>.</p>
+ </li>
+
+ <li id="M201701060">
+ <p>When a page uses Disqus
+ for comments, the proprietary Disqus software <a
+
href="https://blog.dantup.com/2017/01/visiting-a-site-that-uses-disqus-comments-when-not-logged-in-sends-the-url-to-facebook";>loads
+ a Facebook software package into the browser of every anonymous visitor
+ to the page, and makes the page's URL available to Facebook</a>.</p>
+ </li>
+
+ <li id="M201612064">
+ <p>Online sales, with tracking and surveillance of customers, <a
+
href="https://www.theguardian.com/commentisfree/2016/dec/06/cookie-monsters-why-your-browsing-history-could-mean-rip-off-prices";>enables
+ businesses to show different people different prices</a>. Most of
+ the tracking is done by recording interactions with servers, but
+ proprietary software contributes.</p>
+ </li>
+
+ <li id="M201405140">
+ <p><a
+
href="http://www.itproportal.com/2014/05/14/microsoft-openly-offered-cloud-data-fbi-and-nsa/";>
+ Microsoft SkyDrive allows the NSA to directly examine users'
+ data</a>.</p>
+ </li>
+
+ <li id="M201210240">
+ <p>Many web sites rat their visitors to advertising
+ networks that track users. Of the top 1000 web sites, <a
+
href="https://www.law.berkeley.edu/research/bclt/research/privacy-at-bclt/web-privacy-census/";>84%
+ (as of 5/17/2012) fed their visitors third-party cookies, allowing
+ other sites to track them</a>.</p>
+ </li>
- <li><p><a
href="http://japandailypress.com/government-warns-agencies-against-using-chinas-baidu-application-after-data-transmissions-discovered-2741553/";>
- Baidu's Japanese-input and Chinese-input apps spy on users.</a></p>
+ <li id="M201208210">
+ <p>Many web sites report all their visitors
+ to Google by using the Google Analytics service, which <a
+
href="http://www.pcworld.idg.com.au/article/434164/google_analytics_breaks_norwegian_privacy_laws_local_agency_said/";>
+ tells Google the IP address and the page that was visited</a>.</p>
</li>
- <li><p>Pages that contain “Like” buttons
- <a
href="http://www.smh.com.au/technology/technology-news/facebooks-privacy-lie-aussie-exposes-tracking-as-new-patent-uncovered-20111004-1l61i.html";>
- enable Facebook to track visitors to those pages</a>—even
- users that don't have Facebook accounts.</p>
+ <li id="M201200000">
+ <p>Many web sites try to collect users' address books (the user's list
+ of other people's phone numbers or email addresses). This violates
+ the privacy of those other people.</p>
</li>
- <li><p>Many web sites rat their visitors to advertising networks that track
- users. Of the top 1000 web sites, <a
-
href="https://www.law.berkeley.edu/research/bclt/research/privacy-at-bclt/web-privacy-census/";>84%
- (as of 5/17/2012) fed their visitors third-party cookies, allowing other
- sites to track them</a>.</p>
+ <li id="M201110040">
+ <p>Pages that contain “Like” buttons <a
+
href="https://www.smh.com.au/technology/facebooks-privacy-lie-aussie-exposes-tracking-as-new-patent-uncovered-20111004-1l61i.html";>
+ enable Facebook to track visitors to those pages</a>—even users
+ that don't have Facebook accounts.</p>
+ </li>
+</ul>
+
+
+<div class="big-subsection">
+ <h4 id="SpywareInJavascript">JavaScript</h4>
+ <span class="anchor-reference-id">(<a
href="#SpywareInJavascript">#SpywareInJavascript</a>)</span>
+</div>
+
+<ul class="blurbs">
+ <li id="M201807190">
+ <p>British Airways used <a
+
href="https://www.theverge.com/2018/7/19/17591732/british-airways-gdpr-compliance-twitter-personal-data-security";>nonfree
+ JavaScript on its web site to give other companies personal data on
+ its customers</a>.</p>
</li>
- <li><p>Many web sites report all their visitors to Google by using
- the Google Analytics service, which
- <a
href="http://www.pcworld.idg.com.au/article/434164/google_analytics_breaks_norwegian_privacy_laws_local_agency_said/";>
- tells Google the IP address and the page that was visited.</a></p>
+ <li id="M201712300">
+ <p>Some JavaScript malware <a
+
href="https://www.theverge.com/2017/12/30/16829804/browser-password-manager-adthink-princeton-research";>
+ swipes usernames from browser-based password managers</a>.</p>
</li>
- <li><p>Many web sites try to collect users' address books (the
- user's list of other people's phone numbers or email addresses).
- This violates the privacy of those other people.</p>
+ <li id="M201712210">
+ <p>Many web sites use JavaScript code <a
+
href="http://gizmodo.com/before-you-hit-submit-this-company-has-already-logge-1795906081";>
+ to snoop on information that users have typed into a
+ form but not sent</a>, in order to learn their identity. Some are <a
+
href="https://www.manatt.com/Insights/Newsletters/Advertising-Law/Sites-Illegally-Tracked-Consumers-New-Suits-Allege";>
+ getting sued</a> for this.</p>
</li>
- <li><p><a
href="http://www.itproportal.com/2014/05/14/microsoft-openly-offered-cloud-data-fbi-and-nsa/";>
- Microsoft SkyDrive allows the NSA to directly examine users'
data</a>.</p>
+ <li id="M201711150">
+ <p>Some websites send
+ JavaScript code to collect all the user's input, <a
+
href="https://freedom-to-tinker.com/2017/11/15/no-boundaries-exfiltration-of-personal-data-by-session-replay-scripts/";>which
+ can then be used to reproduce the whole session</a>.</p>
+
+ <p>If you use LibreJS, it will block that malicious JavaScript
+ code.</p>
</li>
</ul>
-<!-- WEBMASTERS: make sure to place new items on top under each subsection -->
+
<div class="big-subsection">
- <h4 id="SpywareInChrome">Spyware in Chrome</h4>
- <span class="anchor-reference-id">(<a
href="#SpywareInChrome">#SpywareInChrome</a>)</span>
+ <h4 id="SpywareInFlash">Flash</h4>
+ <span class="anchor-reference-id">(<a
href="#SpywareInFlash">#SpywareInFlash</a>)</span>
</div>
-<ul>
- <li><p>Google Chrome makes it easy for an extension to do <a
-
href="https://labs.detectify.com/2015/07/28/how-i-disabled-your-chrome-security-extensions/";>total
- snooping on the user's browsing</a>, and many of them do so.</p>
+<ul class="blurbs">
+ <li id="M201310110">
+ <p>Flash and JavaScript are used for <a
+
href="http://arstechnica.com/security/2013/10/top-sites-and-maybe-the-nsa-track-users-with-device-fingerprinting/";>
+ “fingerprinting” devices</a> to identify users.</p>
+ </li>
+
+ <li id="M201003010">
+ <p>Flash Player's <a
+
href="http://www.imasuper.com/66/technology/flash-cookies-the-silent-privacy-killer/";>
+ cookie feature helps web sites track visitors</a>.</p>
</li>
</ul>
<div class="big-subsection">
- <h4 id="SpywareInFlash">Spyware in Flash</h4>
- <span class="anchor-reference-id">(<a
href="#SpywareInFlash">#SpywareInFlash</a>)</span>
+ <h4 id="SpywareInChrome">Chrome</h4>
+ <span class="anchor-reference-id">(<a
href="#SpywareInChrome">#SpywareInChrome</a>)</span>
</div>
-<ul>
- <li><p>Flash Player's
- <a
href="http://www.imasuper.com/66/technology/flash-cookies-the-silent-privacy-killer/";>
- cookie feature helps web sites track visitors</a>.</p>
+<ul class="blurbs">
+ <li id="M201507280">
+ <p>Google Chrome makes it easy for an extension to do <a
+
href="https://labs.detectify.com/2015/07/28/how-i-disabled-your-chrome-security-extensions/";>total
+ snooping on the user's browsing</a>, and many of them do so.</p>
</li>
- <li><p>Flash is also used for
- <a
href="http://arstechnica.com/security/2013/10/top-sites-and-maybe-the-nsa-track-users-with-device-fingerprinting/";>
- “fingerprinting” devices </a> to identify users.</p>
+ <li id="M201506180">
+ <p>Google Chrome includes a module that <a
+
href="https://www.privateinternetaccess.com/blog/2015/06/google-chrome-listening-in-to-your-room-shows-the-importance-of-privacy-defense-in-depth/";>
+ activates microphones and transmits audio to its servers</a>.</p>
+ </li>
+
+ <li id="M201308040">
+ <p>Google Chrome <a
+ href="https://www.brad-x.com/2013/08/04/google-chrome-is-spyware/";>
+ spies on browser history, affiliations</a>, and other installed
+ software.</p>
+ </li>
+
+ <li id="M200809060">
+ <p>Google Chrome contains a key logger that <a
+ href="http://www.favbrowser.com/google-chrome-spyware-confirmed/";>
+ sends Google every URL typed in</a>, one key at a time.</p>
</li>
</ul>
-<p><a href="/philosophy/javascript-trap.html">Javascript code</a>
-is another method of “fingerprinting” devices.</p>
-<!-- #SpywareEverywhere -->
<div class="big-section">
- <h3 id="SpywareEverywhere">Spyware Everywhere</h3>
+ <h3 id="SpywareEverywhere">Spying on Fixed Communications</h3>
<span class="anchor-reference-id">(<a
href="#SpywareEverywhere">#SpywareEverywhere</a>)</span>
</div>
<div style="clear: left;"></div>
-<ul>
- <li><p>The natural extension of monitoring people through
- “their” phones is <a
-
href="http://www.northwestern.edu/newscenter/stories/2016/01/fool-activity-tracker.html";>
- proprietary software to make sure they can't “fool” the
- monitoring</a>.</p>
+<ul class="blurbs">
+ <li id="M201606030">
+ <p>Investigation Shows <a
+
href="https://www.techdirt.com/articles/20160602/17210734610/investigation-shows-gchq-using-us-companies-nsa-to-route-around-domestic-surveillance-restrictions.shtml";>GCHQ
+ Using US Companies, NSA To Route Around Domestic Surveillance
+ Restrictions</a>.</p>
+
+ <p>Specifically, it can collect the emails of members of Parliament
+ this way, because they pass it through Microsoft.</p>
</li>
- <li><p><a
href="http://www.pocket-lint.com/news/134954-cortana-is-always-listening-with-new-wake-on-voice-tech-even-when-windows-10-is-sleeping";>
- Intel devices will be able to listen for speech all the time, even when
“off.”</a></p>
+ <li id="M201212290">
+ <p>The Cisco <a
+
href="http://boingboing.net/2012/12/29/your-cisco-phone-is-listening.html";>TNP
+ IP phones contain a spyware</a>.</p>
</li>
</ul>
+
+
</div><!-- for id="content", starts in the include above -->
<!--#include virtual="/server/footer.html" -->
<div id="footer">
@@ -1034,17 +1967,17 @@
There is more detail about copyright years in the GNU Maintainers
Information document, www.gnu.org/prep/maintain. -->
-<p>Copyright © 2015, 2016 Free Software Foundation, Inc.</p>
+<p>Copyright © 2015, 2016, 2017, 2018 Free Software Foundation, Inc.</p>
<p>This page is licensed under a <a rel="license"
-href="http://creativecommons.org/licenses/by-nd/4.0/";>Creative
-Commons Attribution-NoDerivatives 4.0 International License</a>.</p>
+href="http://creativecommons.org/licenses/by/4.0/";>Creative
+Commons Attribution 4.0 International License</a>.</p>
<!--#include virtual="/server/bottom-notes.html" -->
<p class="unprintable">Updated:
<!-- timestamp start -->
-$Date: 2016/08/24 15:32:45 $
+$Date: 2018/09/24 21:26:47 $
<!-- timestamp end -->
</p>
</div>
- www/server/staging/proprietary malware-microsof..., Therese Godefroy, 2018/09/23
- www/server/staging/proprietary malware-microsof...,
Therese Godefroy <=
- www/server/staging/proprietary malware-microsof..., Therese Godefroy, 2018/09/26
- www/server/staging/proprietary malware-microsof..., Therese Godefroy, 2018/09/26
- www/server/staging/proprietary malware-microsof..., Therese Godefroy, 2018/09/26
- www/server/staging/proprietary malware-microsof..., Therese Godefroy, 2018/09/26
- www/server/staging/proprietary malware-microsof..., Therese Godefroy, 2018/09/26